From owner-freebsd-hackers Sun Aug 18 8:24:42 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2EC337B400 for ; Sun, 18 Aug 2002 08:24:35 -0700 (PDT) Received: from services.webwarrior.net (overlord-host99.dsl.visi.com [209.98.86.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE93843E75 for ; Sun, 18 Aug 2002 08:24:34 -0700 (PDT) (envelope-from friar_josh@webwarrior.net) Received: from markx.vladsempire.net (12-218-27-215.client.mchsi.com [12.218.27.215]) by services.webwarrior.net (Postfix) with ESMTP id 44C0824FA5; Sun, 18 Aug 2002 10:24:19 +0000 (GMT) Subject: Re: IPDIVERT, having issues? [Moved to -questions] From: Josh Paetzel Reply-To: friar_josh@webwarrior.net To: Devon Stark Cc: FreeBSD-Hackers@freebsd.org In-Reply-To: <002801c2467f$731ebb60$14bde00c@quark> References: <002801c2467f$731ebb60$14bde00c@quark> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.5 Date: 18 Aug 2002 10:22:59 +0000 Message-Id: <1029666187.253.7.camel@markx.vladsempire.net> Mime-Version: 1.0 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 2002-08-18 at 06:20, Devon Stark wrote: > Greetings! > I am having a problem trying to get IPDIVERT to take.. > I have setup my kernel conf to include the following lines > > options IPFIREWALL > options IPDIVERT > > I have the nic configured and running just fine, for both local LAN and for internet (both of my NICs are plugged into the same switch for now) > > My /etc/rc.conf has > gateway_enable=""YES" > firewall_enable="YES" > natd_enable="YES" > > Every time I boot the server I get a message saying that IP Packet filtering is enabled, along with any other configuration I specified (logging and such), but divert is always set to disabled!? > I have gone to the point of building the kernel with '-DIPDIVERT' and still getting the same results... > The main effect of this problem is of course that I get an error when I try to apply the following rule to my firewall > > 'ipfw add divert natd all from any to any via fxp0' > The error is... > > ip_fw_ctl: invalid command > ipfw: getsockopt(IP_FW_ADD): Invalid argument > > I have checked and natd is in the services list and seems to be configured properly. > > I have been searching for the answer for about 3 days now with little luck finding the answer. > > The only thing I can think of is that there is some other kernel option that I am enabling that is causing this problem, or perhaps that there is something that I am missing? > > I have included my config files here for review... > > Kernel config file (I striped out all of the comments for the sake of this post) > > machine i386 > cpu I686_CPU > ident THE-SERVER > maxusers 256 > options MATH_EMULATE > options INET > options FFS > options FFS_ROOT > options SOFTUPDATES > options UFS_DIRHASH > options MFS > options MD_ROOT > options NFS > options NFS_ROOT > options MSDOSFS > options CD9660 > options CD9660_ROOT > options PROCFS > options COMPAT_43 > options SCSI_DELAY=1000 > options UCONSOLE > options USERCONFIG > options VISUAL_USERCONFIG > options KTRACE > options SYSVSHM > options SYSVMSG > options SYSVSEM > options P1003_1B > options _KPOSIX_PRIORITY_SCHEDULING > options ICMP_BANDLIM > options KBD_INSTALL_CDEV > options IPFIREWALL > options IPDIVERT > options IPFIREWALL_FORWARD > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=50 > options BRIDGE > options IPSTEALTH > options TCP_DROP_SYNFIN > options SMP > options APIC_IO > device isa > device eisa > device pci > device fdc0 at isa? port IO_FD1 irq 6 drq 2 > device fd0 at fdc0 drive 0 > device ata0 at isa? port IO_WD1 irq 14 > device ata1 at isa? port IO_WD2 irq 15 > device ata > device atadisk > device atapicd > device atapifd > options ATA_STATIC_ID > device ahb > device ahc > device amd > device isp > device ncr > device sym > options SYM_SETUP_LP_PROBE_MAP=0x40 > device adv0 at isa? > device adw > device bt0 at isa? > device aha0 at isa? > device aic0 at isa? > device scbus > device da > device sa > device cd > device pass > device asr > device atkbdc0 at isa? port IO_KBD > device atkbd0 at atkbdc? irq 1 flags 0x1 > device psm0 at atkbdc? irq 12 > device vga0 at isa? > pseudo-device splash > device sc0 at isa? flags 0x100 > device npx0 at nexus? port IO_NPX irq 13 > device apm0 at nexus? disable flags 0x20 > device sio0 at isa? port IO_COM1 flags 0x10 irq 4 > device sio1 at isa? port IO_COM2 irq 3 > device ppc0 at isa? irq 7 > device ppbus > device lpt > device miibus > device fxp > pseudo-device loop > pseudo-device ether > pseudo-device pty > pseudo-device md > pseudo-device bpf > device uhci > device ohci > device usb > device ugen > device uhid > device ukbd > device ulpt > device umass > device ums > device uscanner > device urio > device aue > device cue > device kue > > Here is the /etc/rc.conf > > gateway_enable="YES" > inetd_enable="YES" > kern_securelevel_enable="NO" > linux_enable="YES" > moused_enable="NO" > nfs_reserved_port_only="YES" > sendmail_enable="YES" > sshd_enable="YES" > usbd_enable="YES" > ifconfig_fxp0="DHCP" > ifconfig_fxp1="inet 172.17.0.1 netmask 255.255.255.0" > hostname="The-Server.KnightRaven.com" > firewall_enable="YES" > firewall_type="open" > firewall_quiet="NO" > natd_enable="YES" > natd_flags="-f /etc/natd.conf" > natd_interface="fxp0" > > Let me know if there are any other configuration files you need to look at... > > Any ideas or help is greatly appreciated! > > Thank you! > Devon Remove option IPFIREWALL_FORWARD and option BRIDGE from you kernel and recompile. Josh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message