diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index df9176fc13a..2450a1d04c3 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -390,7 +390,7 @@ iphack:
 		ip = mtod(m = m1, struct ip *);
 	}
 #endif
-	if (ip_fw_chk_ptr) {
+	if (fw_enable && ip_fw_chk_ptr) {
 #ifdef IPFIREWALL_FORWARD
 		/*
 		 * If we've been forwarded from the output side, then
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 61c8432a0ed..52350e3315b 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -176,7 +176,7 @@ ip_output(m0, opt, ro, flags, imo)
             /*
              * the packet was already tagged, so part of the
              * processing was already done, and we need to go down.
-             * * Get parameters from the header.
+             * Get parameters from the header.
              */
             rule = (struct ip_fw_chain *)(m->m_data) ;
 	    opt = NULL ;
@@ -462,7 +462,7 @@ sendit:
 	/*
 	 * Check with the firewall...
 	 */
-	if (ip_fw_chk_ptr) {
+	if (fw_enable && ip_fw_chk_ptr) {
 		struct sockaddr_in *old = dst;
 
 		off = (*ip_fw_chk_ptr)(&ip,