From owner-freebsd-questions@FreeBSD.ORG Fri Jul 22 01:31:52 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84E8616A46C for ; Fri, 22 Jul 2005 01:31:52 +0000 (GMT) (envelope-from jfalconer@puc.edu) Received: from ecf.puc.edu (ecf2.puc.edu [12.16.216.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C936E43DBA for ; Fri, 22 Jul 2005 01:31:49 +0000 (GMT) (envelope-from jfalconer@puc.edu) Received: from localhost (jfalconer@localhost) by ecf.puc.edu (8.11.6/8.10.1) with ESMTP id j6M1VbT25783; Thu, 21 Jul 2005 18:31:37 -0700 (PDT) Date: Thu, 21 Jul 2005 18:31:37 -0700 (PDT) From: Jon Falconer To: Abu Khaled In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-questions@freebsd.org Subject: Re: ipfw loads with forwarding disabled X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2005 01:31:52 -0000 On Fri, 22 Jul 2005, Abu Khaled wrote: > On 7/22/05, Jon Falconer wrote: > > I'm running FreeBSD 5.4-RELEASE. When I load ipfw.ko I get: > > > > ipfw2 initialized, divert disabled, rule-based forwarding disabled, > > default to deny, logging disabled > > > > I want to use the forward action in the rule set, logging would be nice > > too. When I try to add a rule which uses the forward action, I get: > > > > Line 2: getsockopt(IP_FW_ADD): Invalid argument > > > > and line 2 looks similar to: > > > > add 1200 forward ##.##.##.1 src-ip ##.##.##.0/23 in recv dc1 > > > > At this point I'm guessing that "rule-based forwarding disabled" has > > something to do with it no liking my rule. I tried adding "options > > IPFIREWALL_FORWARD" to the kernel config and rebuilt the kernel. But I > > still get the same message as above when loading ipfw (kernel module). > > I've perused all the relevant sections of the handbook that I could find > > without finding any more clues. What does it take to change the default > > feature set of the ipfw kernel module? Or do I have to compile it into the > > kernel to alter this? > > > > Thanks for your suggestions, > > > > Jon > > > > What value does sysctl net.inet.ip.forwarding has? > #sysctl net.inet.ip.forwarding > > -- > Regards. > Abu Khaled > sysctl values: net.inet.ip.forwarding: 1 net.inet.ip.check_interface: 0 net.inet.ip.fw.enable: 1 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 0 net.inet.ip.fw.dyn_max: 4096 net.inet.ip.fw.static_count: 2 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_keepalive: 1 rc.conf values: firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="/root/fw-rules" firewall_quiet="NO" firewall_logging="YES" firewall_flags="" --Jon