Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 10 Mar 2004 10:31:22 -0600
From:      "Waif W. Urchin" <jhorvath@frabill.com>
To:        <freebsd-questions@freebsd.org>
Cc:        'James Horvath' <jhorvath@frabill.net>
Subject:   IOCTL(SIOCIPFL6): Invalid Argument
Message-ID:  <20040310163126.BB07243D1F@mx1.FreeBSD.org>

next in thread | raw e-mail | index | archive | help
Looking for some assistance, please:

Working with FSBD 5.1.  On reboot I see the following comment:

...
Enabling ipfilter
ioctl(SIOCIPFL6): Invalid Argument
...

Google is mute on the subject except for listing where this item is used as
a preprocessor directive.

I have modified /etc/rc.d/ipfilter to remove the "-E" startup flag from 3
locations (which cleared up the ipfilter already initialized comments), but
this problem was happening before I made that modification.  I only mention
it because the two issues (the Invalid Argument and the Ipfilter already
initialized comments) may be related.

I have tried turning off ipnat and ipmon in the rc.conf file, but this
persists, leading me to believe the problem is in fact with the ipfilter
command (or setup).

Following is the rc.conf, ip.rules, and modified kernel file I am using:

==============================
/etc/rc.conf:

defaultrouter="192.168.1.10"
hostname="whatever.something.com"
ifconfig_xl0="inet 192.168.1.1  netmask 255.255.255.0"
kern_securelevel_enable="YES"
kern_securelevel="1"
inetd_enable="NO"
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
ipmon_enable="YES"
ipmon_flags="-Dvn /var/log/firewall.log"
sendmail_enable="NONE"
sshd_enable="YES"
usbd_enable="YES"
nfs_server_enable="NO"
nfs_client_enable="NO"
portmap_enable="NO"
syslogd_enable="YES"
syslogd_flags="-ss"
log_in_vain="YES"
accounting_enable="NO"
clear_tmp_enable="YES"
update_motd="NO"
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
tcp_extensions="NO"
tcp_keepalive="YES"
icmp_bmcastecho="NO"
icmp_bandlim="YES"

==============================
/etc/ip.rules:

# Outbound rules
pass out quick on xl0 proto tcp from any to any port = 80 flags S keep frags
keep state
pass out quick on xl0 proto tcp from any to any port = 22 flags S keep frags
keep state
pass out quick on xl0 proto tcp from any to any port = 5999 flags S keep
state
pass out quick on xl0 proto tcp from any to any port = 53 keep state keep
frags
block out quick on xl0 proto igmp all
block out quick on xl0 proto icmp from any to any keep state
block out quick on xl0 from !192.168.1.0/24 to any
block out quick on xl0 from any to 2.0.0.0/8
block out quick on xl0 from any to 5.0.0.0/8
block out quick on xl0 from any to 10.0.0.0/8
block out quick on xl0 from any to 23.0.0.0/8
block out quick on xl0 from any to 27.0.0.0/8
block out quick on xl0 from any to 31.0.0.0/8	
block out quick on xl0 from any to 69.0.0.0/8
block out quick on xl0 from any to 70.0.0.0/7
block out quick on xl0 from any to 72.0.0.0/5
block out quick on xl0 from any to 82.0.0.0/7
block out quick on xl0 from any to 84.0.0.0/6
block out quick on xl0 from any to 88.0.0.0/5
block out quick on xl0 from any to 96.0.0.0/3
block out quick on xl0 from any to 127.0.0.0/8
block out quick on xl0 from any to 128.0.0.0/16
block out quick on xl0 from any to 128.66.0.0/16
block out quick on xl0 from any to 169.254.0.0/16
block out quick on xl0 from any to 172.16.0.0/12
block out quick on xl0 from any to 191.255.0.0/16
block out quick on xl0 from any to 192.0.0.0/19
block out quick on xl0 from any to 192.0.48.0/20
block out quick on xl0 from any to 192.0.64.0/18
block out quick on xl0 from any to 192.0.128.0/17
block out quick on xl0 from any to 192.168.0.0/16
block out quick on xl0 from any to 197.0.0.0/8
block out quick on xl0 from any to 201.0.0.0/8
block out quick on xl0 from any to 204.152.64.0/23
block out quick on xl0 from any to 206.112.0.0/16
block out quick on xl0 from any to 224.0.0.0/3
block out on xl0 all

# Inbound Packet Rules 
pass in quick on xl0 proto tcp from 192.168.1.36 to 192.168.1.227 port = 22
flags S keep frags keep state
block in quick on xl0 proto tcp from any to any port = 10024 keep state
block in quick on xl0 proto icmp from any to any keep state
block in quick on xl0 proto igmp all
block in quick on xl0 all with ipopts
block in quick on xl0 all with frag
block in quick on xl0 all with short
block return-rst in quick on xl0 proto tcp all flags FUP
block return-rst in quick on xl0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in quick on xl0 proto udp from any to
any
block in log quick on xl0 all with opt lsrr
block in log quick on xl0 all with opt ssrr
block in quick on xl0 from 0.0.0.0/7 to any
block in quick on xl0 from 2.0.0.0/8 to any
block in quick on xl0 from 5.0.0.0/8 to any
block in quick on xl0 from 10.0.0.0/8 to any
block in quick on xl0 from 23.0.0.0/8 to any
block in quick on xl0 from 27.0.0.0/8 to any
block in quick on xl0 from 31.0.0.0/8 to any
block in quick on xl0 from 69.0.0.0/8 to any
block in quick on xl0 from 70.0.0.0/7 to any
block in quick on xl0 from 72.0.0.0/5 to any
block in quick on xl0 from 82.0.0.0/7 to any
block in quick on xl0 from 84.0.0.0/6 to any
block in quick on xl0 from 88.0.0.0/5 to any
block in quick on xl0 from 96.0.0.0/3 to any
block in quick on xl0 from 127.0.0.0/8 to any
block in quick on xl0 from 128.0.0.0/16 to any
block in quick on xl0 from 128.66.0.0/16 to any
block in quick on xl0 from 169.254.0.0/16 to any
block in quick on xl0 from 172.17.0.0/12 to any
block in quick on xl0 from 191.255.0.0/16 to any
block in quick on xl0 from 192.0.0.0/19 to any
block in quick on xl0 from 192.0.48.0/20 to any
block in quick on xl0 from 192.0.64.0/18 to any
block in quick on xl0 from 192.0.128.0/17 to any
block in quick on xl0 from 192.168.0.0/16 to any
block in quick on xl0 from 197.0.0.0/8 to any
block in quick on xl0 from 201.0.0.0/8 to any
block in quick on xl0 from 204.152.64.0/23 to any
block in quick on xl0 from 224.0.0.0/3 to any
block in log quick on xl0 all

# Loopback interface
pass in quick on lo0 all
pass out quick on lo0 all

==============================
Kernel config:

machine		i386
cpu			I686_CPU
ident			GENERIC
options 		SCHED_4BSD		
options 		INET			
options 		FFS			
options 		SOFTUPDATES		
options 		UFS_ACL		
options 		UFS_DIRHASH		
options 		MD_ROOT		
options 		PROCFS		
options 		PSEUDOFS		
options 		COMPAT_43		
options 		COMPAT_FREEBSD4	
options 		SCSI_DELAY=15000	
options 		KTRACE		
options 		SYSVSHM		
options 		SYSVMSG		
options 		SYSVSEM		
options 		_KPOSIX_PRIORITY_SCHEDULING 
options 		KBD_INSTALL_CDEV	
options 		INVARIANT_SUPPORT	
options		TCP_DROP_SYNFIN	
options		SC_DISABLE_DDBKEY
options		SC_DISABLE_REBOOT
options		CPU_ENABLE_SSE
options		CPU_ATHLON_SSE_HACK
options		IPSEC
options		IPSTEALTH
options		IPFILTER
options		IPFILTER_LOG
options		IPFILTER_DEFAULT_BLOCK
device		isa
device		eisa
device		pci
device		ata
device		atadisk	
options	 	ATA_STATIC_ID
device		atkbdc	
device		atkbd		
device		vga		
device		sc		
device		agp		
device		npx		
device		miibus	
device		xl		
device		random	
device		loop		
device		ether		
device		tun		
device		pty		
device		md		
device		gif		
device		bpf		
device		uhci
device		ohci
device		usb
device		umass
device		scbus
device		da
device		pass


Thank you.


















_______________________________________________________________________
This message was scanned and certified Virus Free by Alexssa | HNet.
www.alexssa.net
www.hnet.net



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040310163126.BB07243D1F>