Thursday, November 19, 2009

IPFW: rule-based forwarding disabled

If you want to enable IPFW (or load the module) and you get "rule-based forwarding disabled" in dmesg... and you need forwarding, well, that is just too bad. You will need to enable IPFW forwarding support in the kernel.

Yes, you will have to compile a custom FreeBSD kernel.

It's not that awful, actually.

First off, make sure you have the kernel sources (i.e. in /usr/src/sys).

You will be better off if you will run sysinstall beforehand: select "Configure" -> "Distributions" -> "Src" -> select "base" and "sys" and install them.

Right, now you're ready to configure your kernel to support IPFW and forwarding.
cd /usr/src/sys/i386/conf
cp GENERIC NEWKERNEL
vim NEWKERNEL
Here, add the following:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE_LIMIT=5
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
Now you should be ready to compile the new kernel:
cd /usr/src
make buildkernel KERNCONF=NEWKERNEL
make installkernel KERNCONF=NEWKERNEL
reboot
Basically, you will now need to explicitly enable IPFW and to point to the location of the file containing its rules. So you can add to your /etc/rc.conf the following:
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
The command
# ipfw list
will show you which rules are in effect at the moment.

Further reading:

2 comments: