# The IPFW that wouldn't die.



## filson (Dec 27, 2013)

Hello everyone.

I'm fiddling a bit about with IPFW on FreeBSD 9.2. In essence, I'd like it not to load prefering PF instead. As I'm pretty new to BSD I've currently come to the understanding that if /etc/defaults/rc.conf contains 
	
	



```
firewall_enable="NO"
```
 and /etc/rc.conf does not contain 
	
	



```
firewall_enable="YES"
```
 IPFW should not load at all.

Infact, my rc.conf only contains 

```
hostname="BSD"
keymap="uk.dvorak.kbd"
powered_enable="YES"
dumpdev="NO"
zfs_enable="YES"
```

The remaining lines have been commented out with #

Despite this, at startup the machine will list a ipfw0 device when going through the network cards. If ipfw is queried using `ipfw list` it'll respond with 65535 deny ip from any to any. Even if i add 
	
	



```
firewall_enable="NO"
```
 in the /etc/rc.conf and reboot the machine. This is a fairly new installation and to be honest, I didn't get the ipfw0 device till I, at one point, enabled it in rc.conf.
Now it just doesn't want to stay down.

Please help. I have no clue why I can't control the loading of IPFW.

Filson.


----------



## wblock@ (Dec 27, 2013)

IPFW has a couple of parts.  One is the kernel module, ipfw(4).  If that kernel module is not loaded in /boot/loader.conf, ipfw(8) (the command) can't do anything.  So... have you edited that file?  Have you built a custom kernel?


----------



## filson (Dec 27, 2013)

Thank you for your reply. I have not build a custom kernel. /boot/loader.conf did contain a 
	
	



```
ipfw_load="YES"
```
 command as well as 
	
	



```
ipdivert_load="YES"
```

As far as I could see in the FreeBSD book, ipdivert is a kernel option for enabling NAT through IPFW.

I took the liberty of commenting both lines out using #. Maybe that was a bit too overzealous. Does stopping ipdivert from loading mean I can't use NAT in PF?

After a reboot `ipfw list` now shows 
	
	



```
ipfw: getsockopt(IP_FW_GET): Protocol not available
```
That seems to indicate to me that IPFW hasn't loaded. If so, thank you very much for your assistance.

filson.


----------



## wblock@ (Dec 27, 2013)

Those lines can be removed entirely from /boot/loader.conf.  And pf(4) does not need ipdivert.


----------



## filson (Dec 27, 2013)

Thank you very much!

filson.


----------

