From owner-freebsd-stable@FreeBSD.ORG Mon Mar 7 03:30:25 2011 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB577106566B; Mon, 7 Mar 2011 03:30:25 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 0A51E8FC08; Mon, 7 Mar 2011 03:30:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p272uogx035954; Mon, 7 Mar 2011 13:56:50 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 7 Mar 2011 13:56:49 +1100 (EST) From: Ian Smith To: Dave Johnson Message-ID: <20110307135057.C84485@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: stable@freebsd.org, ipfw@freebsd.org Subject: Re: An IPFW problem when going from release to stable on 8.2/ Maybe bge0 network card? (fwd) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2011 03:30:25 -0000 Oh, I see this one was to net@, whereas your earlier message was to ipfw@ and stable@ with different subject, a bit confusing .. Ian ---------- Forwarded message ---------- Date: Mon, 7 Mar 2011 13:49:20 +1100 (EST) From: Ian Smith To: Dave Johnson Cc: freebsd-net@freebsd.org Subject: Re: An IPFW problem when going from release to stable on 8.2/ Maybe bge0 network card? On Sun, 6 Mar 2011, Dave Johnson wrote: > Hi all > > > An IPFW problem when going from release to stable on 8.2 > > An help gladly accepted > > LOG ON > > Flushed all rules. > 00010 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 > 00030 divert 8668 ip from any to any via bge0 > ipfw: getsockopt(IP_FW_ADD): Invalid argument > 50000 allow ip from any to any > Firewall rules loaded. > Starting natd. That error occured when attempting to install the fwd rule below. Checking with 'ipfw list' should show that rule as missing. > rc.conf > defaultrouter="192.168.0.1" > gateway_enable="YES" > hostname="xxx.xxx.xxx" > ifconfig_bge0="inet 192.168.0.11 netmask 255.255.255.0" > ifconfig_em0="inet 192.168.1.2 netmask 255.255.255.0" > keymap="us.iso" > moused_enable="YES" > sshd_enable="YES" > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > natd_program="/sbin/natd" > natd_enable="YES" > natd_interface="bge0" > natd_flags="-f /etc/natd.conf" > dhcpd_enable="NO" > dhcpd_flags="-q" > dhcpd_conf="/usr/local/etc/dhcpd.conf" > dhcpd_ifaces="em0" > dhcpd_withumask="022" > > natd.conf > > interface bge0 > use_sockets yes > same_ports yes > log > #redirect_port tcp 192.168.1.189:3389 3389 > #redirect_port tcp 192.168.1.53:5500 5500 > > #!/bin/sh > > /sbin/ipfw -f flush > /sbin/ipfw -f pipe flush > > > > #Nat Rules > /sbin/ipfw add 10 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 > /sbin/ipfw add 30 divert natd all from any to any via bge0 Don't use 'all' or 'ip' with divert, specify ip4 instead; divert can't handle ip6 packets yet, panics have been reported. See /etc/rc.firewall > #Forward to Transparent Proxy Server > #/sbin/ipfw add 10001 fwd 127.0.0.1,3128 tcp from any to any 80 > #/sbin/ipfw add 10010 fwd 127.0.0.1,3128 tcp from 10.0.21.2 to any 80 > > /sbin/ipfw add 10001 fwd 127.0.0.1,3128 tcp from any to any 80 > > > /sbin/ipfw add 50000 allow ip from any to any > > KERNEL > > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=5 > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPDIVERT > options DUMMYNET But ipfw(8) sayeth: To enable fwd a custom kernel needs to be compiled with the option options IPFIREWALL_FORWARD. cheers, Ian [ aside: man.cgi is currently broken for 8.2-RELEASE, at least for ipfw. http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&manpath=FreeBSD+8.2-RELEASE&format=html reports "Sorry, no data found for `ipfw'. Please try a keyword search." Selecting 8.1-stable instead works correctly ]