Date: Mon, 7 Mar 2011 13:56:49 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Dave Johnson <ctfreebsd@gmail.com> Cc: stable@freebsd.org, ipfw@freebsd.org Subject: Re: An IPFW problem when going from release to stable on 8.2/ Maybe bge0 network card? (fwd) Message-ID: <20110307135057.C84485@sola.nimnet.asn.au>
next in thread | raw e-mail | index | archive | help
Oh, I see this one was to net@, whereas your earlier message was to
ipfw@ and stable@ with different subject, a bit confusing ..
Ian
---------- Forwarded message ----------
Date: Mon, 7 Mar 2011 13:49:20 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Dave Johnson <ctfreebsd@gmail.com>
Cc: freebsd-net@freebsd.org
Subject: Re: An IPFW problem when going from release to stable on 8.2/ Maybe
bge0 network card?
On Sun, 6 Mar 2011, Dave Johnson wrote:
> Hi all
>
>
> An IPFW problem when going from release to stable on 8.2
>
> An help gladly accepted
>
> LOG ON
>
> Flushed all rules.
> 00010 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
> 00030 divert 8668 ip from any to any via bge0
> ipfw: getsockopt(IP_FW_ADD): Invalid argument
> 50000 allow ip from any to any
> Firewall rules loaded.
> Starting natd.
That error occured when attempting to install the fwd rule below.
Checking with 'ipfw list' should show that rule as missing.
> rc.conf
> defaultrouter="192.168.0.1"
> gateway_enable="YES"
> hostname="xxx.xxx.xxx"
> ifconfig_bge0="inet 192.168.0.11 netmask 255.255.255.0"
> ifconfig_em0="inet 192.168.1.2 netmask 255.255.255.0"
> keymap="us.iso"
> moused_enable="YES"
> sshd_enable="YES"
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall"
> natd_program="/sbin/natd"
> natd_enable="YES"
> natd_interface="bge0"
> natd_flags="-f /etc/natd.conf"
> dhcpd_enable="NO"
> dhcpd_flags="-q"
> dhcpd_conf="/usr/local/etc/dhcpd.conf"
> dhcpd_ifaces="em0"
> dhcpd_withumask="022"
>
> natd.conf
>
> interface bge0
> use_sockets yes
> same_ports yes
> log
> #redirect_port tcp 192.168.1.189:3389 3389
> #redirect_port tcp 192.168.1.53:5500 5500
>
> #!/bin/sh
>
> /sbin/ipfw -f flush
> /sbin/ipfw -f pipe flush
>
>
>
> #Nat Rules
> /sbin/ipfw add 10 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
> /sbin/ipfw add 30 divert natd all from any to any via bge0
Don't use 'all' or 'ip' with divert, specify ip4 instead; divert can't
handle ip6 packets yet, panics have been reported. See /etc/rc.firewall
> #Forward to Transparent Proxy Server
> #/sbin/ipfw add 10001 fwd 127.0.0.1,3128 tcp from any to any 80
> #/sbin/ipfw add 10010 fwd 127.0.0.1,3128 tcp from 10.0.21.2 to any 80
>
> /sbin/ipfw add 10001 fwd 127.0.0.1,3128 tcp from any to any 80
>
>
> /sbin/ipfw add 50000 allow ip from any to any
>
> KERNEL
>
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=5
> options IPFIREWALL_DEFAULT_TO_ACCEPT
> options IPDIVERT
> options DUMMYNET
But ipfw(8) sayeth:
To enable fwd a custom kernel needs to be compiled with the
option options IPFIREWALL_FORWARD.
cheers, Ian
[ aside: man.cgi is currently broken for 8.2-RELEASE, at least for ipfw.
http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&manpath=FreeBSD+8.2-RELEASE&format=html
reports "Sorry, no data found for `ipfw'. Please try a keyword search."
Selecting 8.1-stable instead works correctly ]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110307135057.C84485>