Date: Sun, 18 Aug 2002 12:06:08 -0700 From: "Devon Stark" <knightraven@attbi.com> To: <friar_josh@webwarrior.net> Cc: <FreeBSD-Hackers@freebsd.org> Subject: Re: IPDIVERT, having issues? [Moved to -questions] Message-ID: <002101c246ea$4fcb4b90$14bde00c@quark> References: <002801c2467f$731ebb60$14bde00c@quark> <1029666187.253.7.camel@markx.vladsempire.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the idea, but sadly still didn't do the trick... it seems that the problem is something to do with ipfw loading as a module and not as a static lib... divert seems to be enabled in the kernel (lessing the kernel binary looking for the console message), and the module does not, (still reports that divert is disabled) so what seems to be happening is that the kernel is being overridden by the module at runtime, renaming the module prevents ipfw from loading... How can I force ipfw to build as a static lib in the kernel and not as a module? or perhaps is there something else that I need to do? ----- Original Message ----- From: "Josh Paetzel" <friar_josh@webwarrior.net> To: "Devon Stark" <knightraven@attbi.com> Cc: <FreeBSD-Hackers@freebsd.org> Sent: Sunday, August 18, 2002 3:22 AM Subject: Re: IPDIVERT, having issues? [Moved to -questions] > On Sun, 2002-08-18 at 06:20, Devon Stark wrote: > > Greetings! > > I am having a problem trying to get IPDIVERT to take.. > > I have setup my kernel conf to include the following lines > > > > options IPFIREWALL > > options IPDIVERT > > > > I have the nic configured and running just fine, for both local LAN and for internet (both of my NICs are plugged into the same switch for now) > > > > My /etc/rc.conf has > > gateway_enable=""YES" > > firewall_enable="YES" > > natd_enable="YES" > > > > Every time I boot the server I get a message saying that IP Packet filtering is enabled, along with any other configuration I specified (logging and such), but divert is always set to disabled!? > > I have gone to the point of building the kernel with '-DIPDIVERT' and still getting the same results... > > The main effect of this problem is of course that I get an error when I try to apply the following rule to my firewall > > > > 'ipfw add divert natd all from any to any via fxp0' > > The error is... > > > > ip_fw_ctl: invalid command > > ipfw: getsockopt(IP_FW_ADD): Invalid argument > > > > I have checked and natd is in the services list and seems to be configured properly. > > > > I have been searching for the answer for about 3 days now with little luck finding the answer. > > > > The only thing I can think of is that there is some other kernel option that I am enabling that is causing this problem, or perhaps that there is something that I am missing? > > > > I have included my config files here for review... > > > > Kernel config file (I striped out all of the comments for the sake of this post) > > > > machine i386 > > cpu I686_CPU > > ident THE-SERVER > > maxusers 256 > > options MATH_EMULATE > > options INET > > options FFS > > options FFS_ROOT > > options SOFTUPDATES > > options UFS_DIRHASH > > options MFS > > options MD_ROOT > > options NFS > > options NFS_ROOT > > options MSDOSFS > > options CD9660 > > options CD9660_ROOT > > options PROCFS > > options COMPAT_43 > > options SCSI_DELAY=1000 > > options UCONSOLE > > options USERCONFIG > > options VISUAL_USERCONFIG > > options KTRACE > > options SYSVSHM > > options SYSVMSG > > options SYSVSEM > > options P1003_1B > > options _KPOSIX_PRIORITY_SCHEDULING > > options ICMP_BANDLIM > > options KBD_INSTALL_CDEV > > options IPFIREWALL > > options IPDIVERT > > options IPFIREWALL_FORWARD > > options IPFIREWALL_VERBOSE > > options IPFIREWALL_VERBOSE_LIMIT=50 > > options BRIDGE > > options IPSTEALTH > > options TCP_DROP_SYNFIN > > options SMP > > options APIC_IO > > device isa > > device eisa > > device pci > > device fdc0 at isa? port IO_FD1 irq 6 drq 2 > > device fd0 at fdc0 drive 0 > > device ata0 at isa? port IO_WD1 irq 14 > > device ata1 at isa? port IO_WD2 irq 15 > > device ata > > device atadisk > > device atapicd > > device atapifd > > options ATA_STATIC_ID > > device ahb > > device ahc > > device amd > > device isp > > device ncr > > device sym > > options SYM_SETUP_LP_PROBE_MAP=0x40 > > device adv0 at isa? > > device adw > > device bt0 at isa? > > device aha0 at isa? > > device aic0 at isa? > > device scbus > > device da > > device sa > > device cd > > device pass > > device asr > > device atkbdc0 at isa? port IO_KBD > > device atkbd0 at atkbdc? irq 1 flags 0x1 > > device psm0 at atkbdc? irq 12 > > device vga0 at isa? > > pseudo-device splash > > device sc0 at isa? flags 0x100 > > device npx0 at nexus? port IO_NPX irq 13 > > device apm0 at nexus? disable flags 0x20 > > device sio0 at isa? port IO_COM1 flags 0x10 irq 4 > > device sio1 at isa? port IO_COM2 irq 3 > > device ppc0 at isa? irq 7 > > device ppbus > > device lpt > > device miibus > > device fxp > > pseudo-device loop > > pseudo-device ether > > pseudo-device pty > > pseudo-device md > > pseudo-device bpf > > device uhci > > device ohci > > device usb > > device ugen > > device uhid > > device ukbd > > device ulpt > > device umass > > device ums > > device uscanner > > device urio > > device aue > > device cue > > device kue > > > > Here is the /etc/rc.conf > > > > gateway_enable="YES" > > inetd_enable="YES" > > kern_securelevel_enable="NO" > > linux_enable="YES" > > moused_enable="NO" > > nfs_reserved_port_only="YES" > > sendmail_enable="YES" > > sshd_enable="YES" > > usbd_enable="YES" > > ifconfig_fxp0="DHCP" > > ifconfig_fxp1="inet 172.17.0.1 netmask 255.255.255.0" > > hostname="The-Server.KnightRaven.com" > > firewall_enable="YES" > > firewall_type="open" > > firewall_quiet="NO" > > natd_enable="YES" > > natd_flags="-f /etc/natd.conf" > > natd_interface="fxp0" > > > > Let me know if there are any other configuration files you need to look at... > > > > Any ideas or help is greatly appreciated! > > > > Thank you! > > Devon > > Remove option IPFIREWALL_FORWARD and option BRIDGE from you kernel and > recompile. > > Josh > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002101c246ea$4fcb4b90$14bde00c>