From owner-freebsd-ipfw Tue Aug 22 2:58:25 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from web1401.mail.yahoo.com (web1401.mail.yahoo.com [128.11.23.165]) by hub.freebsd.org (Postfix) with SMTP id 737B837B424 for ; Tue, 22 Aug 2000 02:58:18 -0700 (PDT) Received: (qmail 9999 invoked by uid 60001); 22 Aug 2000 10:00:18 -0000 Message-ID: <20000822100018.9998.qmail@web1401.mail.yahoo.com> Received: from [159.148.130.2] by web1401.mail.yahoo.com; Tue, 22 Aug 2000 03:00:18 PDT Date: Tue, 22 Aug 2000 03:00:18 -0700 (PDT) From: John Braun Subject: divert disabled To: freebsd-isp@freebsd.org Cc: freebsd-ipfw@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello I try to start router (BSD 3.2), but I get a not so satisfactory results. When BSD starting, it shows message like this: "Divert disabled" Where is a problem? My router configuration looks like that: 1) Lines from /etc/defaults/rc.conf =========================================== firewall_enable="YES" firewall functionality firewall_script="/etc/rc.firewall" firewall_type="OPEN" #!!!!!! (I also try firewall type UNKNOWN and SIMPLE) firewall_quiet="NO" natd_program="/sbin/natd" natd_enable="YES" natd_interface="fxp0" natd_flags="-l -u -m" #natd_flags="" # !!! There I try to change firewall rules /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via fxp0 /sbin/ipfw add pass all from any to any tcp_extensions="NO" network_interfaces="lo0 rl0 fxp0" ifconfig_lo0="inet 127.0.0.1" ifconfig_fxp0="inet 159.148.166.75 netmask 255.255.255.248" ifconfig_rl0="inet 192.168.37.9 netmask 255.255.255.0" defaultrouter="159.148.166.73" static_routes="" gateway_enable="YES" router_enable="NO" router="routed" router_flags="-q" mrouted_enable="NO" mrouted_flags="" arpproxy_all="" forward_sourceroute="YES" accept_sourceroute="YES" ============================================ 2) My fw rules looks like that (ipfw -a l) 00100 149 17161 divert 8668 ip from any to any via fxp0 00200 12 606 allow ip from any to any 65535 0 0 deny ip from any to any ============================================ 3) My kernel configuration options: (/usr/src/sys/conf/options) options IPFIREWALL opt_ipfw.h options IPDIVERT opt_ipdivert.h options IPFIREWALL_FORWARD opt_ipfw.h options IPFIREWALL_VERBOSE opt_ipfw.h ============================================ 4) When I try to ping some server, I got relpies: PING 159.148.60.2 (159.148.60.2): 56 data bytes ping: sendto: Permission denied ping: sendto: Permission denied ping: sendto: Permission denied ping: sendto: Permission denied --- 159.148.60.2 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss ============================================ ============================================ What can I do? Regards, J.B. __________________________________________________ Do You Yahoo!? Yahoo! Mail – Free email you can access from anywhere! http://mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 22 4:45:13 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id D6F7C37B423; Tue, 22 Aug 2000 04:45:04 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.9.3/1.13) id OAA13667; Tue, 22 Aug 2000 14:44:22 +0300 (EEST) Date: Tue, 22 Aug 2000 14:44:22 +0300 From: Ruslan Ermilov To: John Braun Cc: freebsd-isp@freebsd.org, freebsd-ipfw@FreeBSD.ORG Subject: Re: divert disabled Message-ID: <20000822144422.B12855@sunbay.com> Mail-Followup-To: John Braun , freebsd-isp@freebsd.org, freebsd-ipfw@FreeBSD.ORG References: <20000822100018.9998.qmail@web1401.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000822100018.9998.qmail@web1401.mail.yahoo.com>; from uktests@yahoo.com on Tue, Aug 22, 2000 at 03:00:18AM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Aug 22, 2000 at 03:00:18AM -0700, John Braun wrote: > Hello > > I try to start router (BSD 3.2), > but I get a not so satisfactory results. > > When BSD starting, it shows message > like this: "Divert disabled" > > Where is a problem? > You need to compile your kernel with `options IPDIVERT'. Module version (ipfw.ko) is compiled without this option. -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Aug 26 10:20:22 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail3.nc.rr.com (fe3.southeast.rr.com [24.93.67.50]) by hub.freebsd.org (Postfix) with ESMTP id E9C4E37B422 for ; Sat, 26 Aug 2000 10:20:19 -0700 (PDT) Received: from welsh.dynip.com ([24.162.231.59]) by mail3.nc.rr.com with Microsoft SMTPSVC(5.5.1877.357.35); Sat, 26 Aug 2000 13:20:06 -0400 Received: (qmail 62477 invoked by uid 1000); 26 Aug 2000 17:20:18 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 26 Aug 2000 17:20:18 -0000 Date: Sat, 26 Aug 2000 13:20:18 -0400 (EDT) From: jason To: freebsd-ipfw@freebsd.org Subject: telnet sessions getting stuck? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Im running 4.0-RELEASE FreeBSD 4.0-RELEASE #0 and its been running ipfw for over a hundred days without issue. I decided to try to get the stateful inspection stuff working with ipfw and I have gotten it to work, but now my telnet sessions to my freebsd server seem to just hang after a few (less than 5) minutes of inactivity. I keep looking in my logs, and the only thing suspicious I see is Aug 26 13:11:41 welsh /kernel: invalid state: 0x3 Aug 26 13:11:44 welsh last message repeated 4 times the telnet source and destination machine are both on the 10.1.1.0 network. here is the stateful part of my firewall rules. do they look ok? 00100 divert 8668 ip from any to any via xl0 00200 allow ip from any to any via lo0 00300 check-state 00400 deny tcp from any to any established 00500 allow tcp from 10.1.1.0/24 to any keep-state setup 00600 allow tcp from 24.162.231.59 to any keep-state setup 00700 allow tcp from any to 24.162.231.59 keep-state setup 00800 deny log logamount 50 ip from 10.1.1.0/24 to any in recv xl0 regards, Jason -- ======================================================================= | Jason Welsh jason@welsh.dynip.com | If you think there's | | | good in everybody, you | | http://welsh.dynip.com/ | haven't met everybody. | ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message