Site Navigation

Date:      Sun, 18 Aug 2002 12:06:08 -0700
From:      "Devon Stark" <knightraven@attbi.com>
To:        <friar_josh@webwarrior.net>
Cc:        <FreeBSD-Hackers@freebsd.org>
Subject:   Re: IPDIVERT, having issues? [Moved to -questions]
Message-ID:  <002101c246ea$4fcb4b90$14bde00c@quark>
References:  <002801c2467f$731ebb60$14bde00c@quark> <1029666187.253.7.camel@markx.vladsempire.net>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Thanks for the idea, but sadly still didn't do the trick...
it seems that the problem is something to do with ipfw loading as a module
and not as a static lib...

divert seems to be enabled in the kernel (lessing the kernel binary looking
for the console message), and the module does not, (still reports that
divert is disabled) so what seems to be happening is that the kernel is
being overridden by the module at runtime, renaming the module prevents ipfw
from loading...

How can I force ipfw to build as a static lib in the kernel and not as a
module? or perhaps is there something else that I need to do?

----- Original Message -----
From: "Josh Paetzel" <friar_josh@webwarrior.net>
To: "Devon Stark" <knightraven@attbi.com>
Cc: <FreeBSD-Hackers@freebsd.org>
Sent: Sunday, August 18, 2002 3:22 AM
Subject: Re: IPDIVERT, having issues? [Moved to -questions]


> On Sun, 2002-08-18 at 06:20, Devon Stark wrote:
> > Greetings!
> > I am having a problem trying to get IPDIVERT to take..
> > I have setup my kernel conf to include the following lines
> >
> > options IPFIREWALL
> > options IPDIVERT
> >
> > I have the nic configured and running just fine, for both local LAN and
for internet (both of my NICs are plugged into the same switch for now)
> >
> > My /etc/rc.conf has
> > gateway_enable=""YES"
> > firewall_enable="YES"
> > natd_enable="YES"
> >
> > Every time I boot the server I get a message saying that IP Packet
filtering is enabled, along with any other configuration I specified
(logging and such), but divert is always set to disabled!?
> > I have gone to the point of building the kernel with '-DIPDIVERT' and
still getting the same results...
> > The main effect of this problem is of course that I get an error when I
try to apply the following rule to my firewall
> >
> > 'ipfw add divert natd all from any to any via fxp0'
> > The error is...
> >
> > ip_fw_ctl: invalid command
> > ipfw: getsockopt(IP_FW_ADD): Invalid argument
> >
> > I have checked and natd is in the services list and seems to be
configured properly.
> >
> > I have been searching for the answer for about 3 days now with little
luck finding the answer.
> >
> > The only thing I can think of is that there is some other kernel option
that I am enabling that is causing this problem, or perhaps that there is
something that I am missing?
> >
> > I have included my config files here for review...
> >
> > Kernel config file (I striped out all of the comments for the sake of
this post)
> >
> > machine         i386
> > cpu             I686_CPU
> > ident           THE-SERVER
> > maxusers        256
> > options         MATH_EMULATE
> > options         INET
> > options         FFS
> > options         FFS_ROOT
> > options         SOFTUPDATES
> > options         UFS_DIRHASH
> > options         MFS
> > options         MD_ROOT
> > options         NFS
> > options         NFS_ROOT
> > options         MSDOSFS
> > options         CD9660
> > options         CD9660_ROOT
> > options         PROCFS
> > options         COMPAT_43
> > options         SCSI_DELAY=1000
> > options         UCONSOLE
> > options         USERCONFIG
> > options         VISUAL_USERCONFIG
> > options         KTRACE
> > options         SYSVSHM
> > options         SYSVMSG
> > options         SYSVSEM
> > options         P1003_1B
> > options         _KPOSIX_PRIORITY_SCHEDULING
> > options         ICMP_BANDLIM
> > options         KBD_INSTALL_CDEV
> > options         IPFIREWALL
> > options         IPDIVERT
> > options         IPFIREWALL_FORWARD
> > options         IPFIREWALL_VERBOSE
> > options         IPFIREWALL_VERBOSE_LIMIT=50
> > options         BRIDGE
> > options         IPSTEALTH
> > options         TCP_DROP_SYNFIN
> > options         SMP
> > options         APIC_IO
> > device          isa
> > device          eisa
> > device          pci
> > device          fdc0    at isa? port IO_FD1 irq 6 drq 2
> > device          fd0     at fdc0 drive 0
> > device          ata0    at isa? port IO_WD1 irq 14
> > device          ata1    at isa? port IO_WD2 irq 15
> > device          ata
> > device          atadisk
> > device          atapicd
> > device          atapifd
> > options         ATA_STATIC_ID
> > device          ahb
> > device          ahc
> > device          amd
> > device          isp
> > device          ncr
> > device          sym
> > options         SYM_SETUP_LP_PROBE_MAP=0x40
> > device          adv0    at isa?
> > device          adw
> > device          bt0     at isa?
> > device          aha0    at isa?
> > device          aic0    at isa?
> > device          scbus
> > device          da
> > device          sa
> > device          cd
> > device          pass
> > device          asr
> > device          atkbdc0 at isa? port IO_KBD
> > device          atkbd0  at atkbdc? irq 1 flags 0x1
> > device          psm0    at atkbdc? irq 12
> > device          vga0    at isa?
> > pseudo-device   splash
> > device          sc0     at isa? flags 0x100
> > device          npx0    at nexus? port IO_NPX irq 13
> > device          apm0    at nexus? disable flags 0x20
> > device          sio0    at isa? port IO_COM1 flags 0x10 irq 4
> > device          sio1    at isa? port IO_COM2 irq 3
> > device          ppc0    at isa? irq 7
> > device          ppbus
> > device          lpt
> > device          miibus
> > device          fxp
> > pseudo-device   loop
> > pseudo-device   ether
> > pseudo-device   pty
> > pseudo-device   md
> > pseudo-device   bpf
> > device          uhci
> > device          ohci
> > device          usb
> > device          ugen
> > device          uhid
> > device          ukbd
> > device          ulpt
> > device          umass
> > device          ums
> > device          uscanner
> > device          urio
> > device          aue
> > device          cue
> > device          kue
> >
> > Here is the /etc/rc.conf
> >
> > gateway_enable="YES"
> > inetd_enable="YES"
> > kern_securelevel_enable="NO"
> > linux_enable="YES"
> > moused_enable="NO"
> > nfs_reserved_port_only="YES"
> > sendmail_enable="YES"
> > sshd_enable="YES"
> > usbd_enable="YES"
> > ifconfig_fxp0="DHCP"
> > ifconfig_fxp1="inet 172.17.0.1  netmask 255.255.255.0"
> > hostname="The-Server.KnightRaven.com"
> > firewall_enable="YES"
> > firewall_type="open"
> > firewall_quiet="NO"
> > natd_enable="YES"
> > natd_flags="-f /etc/natd.conf"
> > natd_interface="fxp0"
> >
> > Let me know if there are any other configuration files you need to look
at...
> >
> > Any ideas or help is greatly appreciated!
> >
> > Thank you!
> > Devon
>
> Remove option IPFIREWALL_FORWARD and option BRIDGE from you kernel and
> recompile.
>
> Josh
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002101c246ea$4fcb4b90$14bde00c>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact