The ipfw.ko and ipdivert.ko modules can be loaded from loader.conf too,

so add a short section that describes how to use the loader to achieve the same effect as a kernel rebuild with: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT
svn path=/head/; revision=34525
2009-07-11 07:23:05 +00:00 · 2009-07-11 07:23:05 +00:00 · 42f5b5cd77 · 2020-12-08 03:00:23 +00:00
commit 42f5b5cd77
parent 90a97e4d5d
1 changed files with 44 additions and 3 deletions
--- a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
@ -4440,22 +4440,63 @@ ISDN BRI line</literallayout>
        machine.</para>
    </sect2>

+    <sect2 id="network-natdloaderconfiguration">
+      <indexterm>
+	<primary>boot loader</primary>
+	<secondary>configuration</secondary>
+      </indexterm>
+
+      <title>Boot Loader Configuration</title>
+
+      <para>The kernel features for network address translation with
+	&man.natd.8; are not enabled in the <filename>GENERIC</filename>
+	kernel, but they can be preloaded at boot time, by adding a couple of
+	options to <filename>/boot/loader.conf</filename>:</para>
+
+      <programlisting>ipfw_load="YES"
+ipdivert_load="YES"</programlisting>
+
+      <para>Additionally,
+	the <literal>net.inet.ip.fw.default_to_accept</literal> tunable
+	option may be set to <literal>1</literal>:</para>
+
+      <programlisting>net.inet.ip.fw.default_to_accept="1"</programlisting>
+
+      <note>
+	<para>It is a very good idea to set this option during the first
+	  attempts to setup a firewall and NAT gateway.  This way the default
+	  policy of &man.ipfw.8; will be <literal>allow ip from any to
+	  any</literal> instead of the less permissive <literal>deny ip from
+	  any to any</literal>, and it will be slightly more difficult to get
+	  locked out of the system right after a reboot.</para>
+      </note>
+    </sect2>
+
    <sect2 id="network-natdkernconfiguration">
+      <title>Kernel Configuration</title>
+
      <indexterm>
        <primary>kernel</primary>
 	<secondary>configuration</secondary>
      </indexterm>
-      <title>Configuration</title>
-      <para>The following options must be in the kernel configuration
+      <para>When modules are not an option or if it is preferrable to
+        build all the required features into the running kernel, the
+        following options must be in the kernel configuration
        file:</para>
+
      <programlisting>options IPFIREWALL
 options IPDIVERT</programlisting>

      <para>Additionally, at choice, the following may also be suitable:</para>
      <programlisting>options IPFIREWALL_DEFAULT_TO_ACCEPT
 options IPFIREWALL_VERBOSE</programlisting>
+    </sect2>

-      <para>The following must be in <filename>/etc/rc.conf</filename>:</para>
+    <sect2 id="network-natdsystemconfiguration">
+      <title>System Startup Configuration</title>
+
+      <para>To enable firewall and NAT support at boot time, the
+	following must be in <filename>/etc/rc.conf</filename>:</para>

      <programlisting>gateway_enable="YES" <co id="co-natd-gateway-enable">
 firewall_enable="YES" <co id="co-natd-firewall-enable">