From owner-freebsd-questions Sun Nov 4 13:56:21 2001 Delivered-To: freebsd-questions@freebsd.org Received: from hetnet.nl (net013s.hetnet.nl [194.151.104.153]) by hub.freebsd.org (Postfix) with ESMTP id 8E0A537B405 for ; Sun, 4 Nov 2001 13:56:08 -0800 (PST) Received: from pascal ([24.132.195.177]) by hetnet.nl with Microsoft SMTPSVC(5.5.1877.757.75); Sun, 4 Nov 2001 22:52:12 +0100 Message-ID: <008201c1657c$7824c3f0$0301a8c0@pascal> Reply-To: "Pascal Zoutendijk" From: "Pascal Zoutendijk" To: "Jason Cribbins" Cc: References: <001701c1656d$2f97c240$05d85c42@kibserv.org> <001b01c16571$338db7c0$0301a8c0@pascal> <000701c16578$d53fe5a0$05d85c42@kibserv.org> Subject: Re: Unable to get natd/ipfw to work properly Date: Sun, 4 Nov 2001 22:59:39 +0100 Organization: TBWA \ IT MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Jason, I don't know why you shouldn't want to use IPDIVERT, as far as I know (correct me if I'm wrong please) you need it to get NAT to work. There are a lot of ipfw rulesets available on the internet, just search on google for ruleset ipfw freebsd and it shoulg give you enough different sample sets to get you up and running (or crazy ;-) www.mostgraveconcern.com/freebsd has a nice tutorial on how to set up a bsd firewall on a cable-connected machine. Regards, Pascal Zoutendijk TBWA \ IT ----- Original Message ----- From: "Jason Cribbins" To: "pasca" Cc: Sent: Sunday, November 04, 2001 10:36 PM Subject: Re: Unable to get natd/ipfw to work properly > Thanks > I thought I read that IPFIREWALL was built into the GENERIC kernel. I can > add rules such as: > ipfw add all from any to any > Just nothing that uses divert. > > Anyhow I will restart the 4 hour process that is recompile another kernel on > this old machine. > > Thanks Again > > ----- Original Message ----- > From: "pasca" > To: "Jason Cribbins" > Cc: > Sent: Sunday, November 04, 2001 3:41 PM > Subject: Re: Unable to get natd/ipfw to work properly > > > > as far as I can see you forgot to include your firewall in your kernel... > > > > add: > > options IPFIREWALL > > options IPFIREWALL_VERBOSE > > options IPFIREWALL_VERBOSE_LIMIT=20 > > > > to your firewall config file en recompile. > > > > Regards, > > > > Pascal Zoutendijk > > TBWA \ IT > > > > ----- Original Message ----- > > From: "Jason Cribbins" > > To: "Nick Rogness" > > Cc: > > Sent: Sunday, November 04, 2001 9:13 PM > > Subject: Re: Unable to get natd/ipfw to work properly > > > > > > > I rebuilt the kernel using the directions found on > > > > > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html > > > using the "traditional" method since the "new" method wouldn't work > > > correctly. > > > I have confirmed the new kernel ident is displayed upon bootup. > > > > > > Now I am back top this again > > > IP packet filtering initialized, divert disabled, rule-based forwarding > > > disabled > > > , default to deny, logging disabled > > > > > > and this as well. > > > 7:58pm mail:~ # ipfw add divert natd all from any to any via lnc0 > > > ipfw: getsockopt(IP_FW_ADD): Invalid argument > > > 7:58pm mail:~ # > > > > > > What am I missing here? > > > > > > Here are the config file that may apply: > > > # - MYKERN - BEGIN - # > > > machine i386 > > > cpu I586_CPU > > > ident COMPAQ-KERN > > > maxusers 32 > > > #makeoptions DEBUG=-g #Build kernel with gdb(1) debug > > > symbols > > > options IPDIVERT #Requited by natd > > > options MATH_EMULATE #Support for x87 emulation > > > options INET #InterNETworking > > > #options INET6 #IPv6 communications protocols > > > options FFS #Berkeley Fast Filesystem > > > options FFS_ROOT #FFS usable as root device [keep > > > this!] > > > options SOFTUPDATES #Enable FFS soft updates support > > > #options MFS #Memory Filesystem > > > #options MD_ROOT #MD is a potential root device > > > #options NFS #Network Filesystem > > > #options NFS_ROOT #NFS usable as root device, NFS > > > required > > > #options MSDOSFS #MSDOS Filesystem > > > #options CD9660 #ISO 9660 Filesystem > > > #options CD9660_ROOT #CD-ROM usable as root, CD9660 > > > required > > > options PROCFS #Process filesystem > > > options COMPAT_43 #Compatible with BSD 4.3 [KEEP > > > THIS!] > > > options SCSI_DELAY=15000 #Delay (in ms) before probing > SCSI > > > options UCONSOLE #Allow users to grab the console > > > options USERCONFIG #boot -c editor > > > options VISUAL_USERCONFIG #visual boot -c editor > > > options KTRACE #ktrace(1) support > > > #options SYSVSHM #SYSV-style shared memory > > > #options SYSVMSG #SYSV-style message queues > > > #options SYSVSEM #SYSV-style semaphores > > > options P1003_1B #Posix P1003_1B real-time > > extensions > > > options _KPOSIX_PRIORITY_SCHEDULING > > > options ICMP_BANDLIM #Rate limit bad replies > > > options KBD_INSTALL_CDEV # install a CDEV entry in /dev > > > > > > # To make an SMP kernel, the next two are needed > > > #options SMP # Symmetric MultiProcessor > Kernel > > > #options APIC_IO # Symmetric (APIC) I/O > > > # - MYKERN - END - # > > > The rest is devices and all devices for INET are working fine > > > > > > # - /etc/rc.conf - BEGIN - # > > > # NAT Settings > > > gateway_enable="YES" > > > natd_enable="YES" > > > natd_interface="lnc0" > > > natd_flags="-f /etc/local/etc/natd.cf" > > > firewall_enable="YES" > > > firewall_type="OPEN" > > > # - /etc/rc.conf - END - # > > > > > > # - /usr/local/etc/natd.cf - BEGIN - # > > > log yes > > > use_sockets no > > > same_ports yes > > > interface lnc0 > > > # - /usr/local/etc/natd.cf - END - # > > > > > > # - ifconfig - BEGIN - # > > > lnc0: flags=8843 mtu 1500 > > > inet 66.92.216.6 netmask 0xffffff00 broadcast 66.92.216.255 > > > ether 00:80:5f:f4:10:42 > > > rl0: flags=8843 mtu 1500 > > > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > > > ether 00:02:2a:b0:6f:0e > > > media: autoselect (none) status: active > > > supported media: autoselect 100baseTX 100baseTX > > > 10baseT/UTP 10baseT/UTP 100baseTX > > > lp0: flags=8810 mtu 1500 > > > lo0: flags=8049 mtu 16384 > > > inet 127.0.0.1 netmask 0xff000000 > > > # - ifconfig - END - # > > > > > > Unsure what else you may need? Let me know. I have one DSL line down > and > > > this is a temporary fix for what may be a long term outage. > > > > > > ----- Original Message ----- > > > From: "Nick Rogness" > > > To: "Jason Cribbins" > > > Cc: > > > Sent: Sunday, November 04, 2001 12:13 AM > > > Subject: Re: Unable to get natd/ipfw to work properly > > > > > > > > > > On Sat, 3 Nov 2001, Jason Cribbins wrote: > > > > > > > > > Can someone help me past this error I am getting when trying to use > > > > > natd and ipfw > > > > > > > > > Nov 4 04:24:33 mail /kernel: IP packet filtering initialized, > > > > >divert disabled, rule-based forwarding disabled, default to deny, > > logging > > > > ^^^^^^^^^^^^^^^ > > > > > > > > This is your problem, you need to build a kernel with: > > > > > > > > options IPDIVERT > > > > > > > > > > > > > > > > Nick Rogness > > > > - Keep on Routing in a Free World... > > > > "FreeBSD: The Power to Serve!" > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message