natd starting after firewall rules are loaded

[Ian Smith]

On Sat, 16 Apr 2011, rondzierwa at comcast.net wrote:

 > After the firewall rules are loaded, the rc script then loads natd, 
 > Once the system is up, i can ipfw list and the divert command is, 
 > in fact, not there, but by this time natd is running. If I run the rc.firewall 
 > script interactively, it completes successfully and the divert rule 
 > is in the list, and everyone is happy again. 

There are several outstanding PRs about this and related issues; copying 
hrs@ who grabbed these PRs a while ago.  The quick fix is to add

ipdivert_load="YES"

to /boot/loader.conf so it's there before ipfw & natd start.  You still 
need ipfw_enable=YES and natd_enable=YES in /etc/rc.conf

 > In 4.9 there used to be a rc.network script that started natd before 
 > it loaded the firewall rules. I do not see it in 8.2 anymore, instead 
 > it looks like rc simply runs the scripts in rc.d alphabetically, so natd 
 > comes after ipfw. 

Not alphabetically but according to rcorder(8).  /etc/rc.d/natd has 
keyword NOSTART and is now only run when /etc/rc.d/ipfw invokes it, but 
as you've seen, ipfw's attempt to install divert rule(s) fails for want 
of ipdivert.ko - which /etc/rc.d/natd does load, but too late.

 > I can't believe i'm the only one using ipfw and natd with 8.2, so it 
 > seems to me that i just don't know the secret handshake that will 
 > make it work. 

In 4.x you had to build ipfw into kernel; lots of changes since :)

cheers, Ian