Can any one think of a good reason not to enable IPDIVERT sockets in
the ipfw module?

And possibly enabling default to accept?   That way you don't have to
go to the console when you load the ipfw module because you forgot to
auto add the accept all rule? :)

something like:
==== //depot/projects/opencrypto/sys/modules/ipfw/Makefile#3 - 
/home/jmg/freebsd.p4/opencrypto/sys/modules/ipfw/Makefile ====
--- /tmp/tmp.15774.16   2014-10-31 12:11:56.000000000 -0700
+++ /home/jmg/freebsd.p4/opencrypto/sys/modules/ipfw/Makefile   2014-10-31 
12:11:54.000000000 -0700
@@ -16,7 +16,10 @@
 #CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100
 #
 #If you want it to pass all packets by default
-#CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
+CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
+#
+#If you want divert sockets
+CFLAGS+= -DIPDIVERT
 #
 
 .include <bsd.kmod.mk>

-- 
  John-Mark Gurney                              Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to