From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 1 12:10:06 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93CE216A4CF for ; Thu, 1 Jul 2004 12:10:06 +0000 (GMT) Received: from hetzner.co.za (lfw.hetzner.co.za [196.7.18.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4B4543D1D for ; Thu, 1 Jul 2004 12:10:05 +0000 (GMT) (envelope-from ianf@hetzner.co.za) Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 3.36 #1) id 1Bg0Md-0007WQ-00; Thu, 01 Jul 2004 14:08:27 +0200 To: freebsd@stateautomation.com From: Ian FREISLICH In-Reply-To: Message from freebsd@stateautomation.com Date: Thu, 01 Jul 2004 14:08:27 +0200 Sender: ianf@hetzner.co.za Message-Id: cc: freebsd-ipfw@freebsd.org Subject: Re: ipdivert rule will not load X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 12:10:06 -0000 > > > freebsd@stateautomation.com schrieb: > > > > > ipfw will not accept a DIVERT rule. e.g the rule I am trying to add is.. > > > > > ipfw add 3000 divert 8668 ip from any to any via sis0 > > > The response I get is... ipfw: getsockopt(IP_FW_ADD): Invalid argument > > > I have built a custom kernel with the following optional lines > > > options IPFIREWALL > > > options IPFIREWALL_VERBOSE > > > options IPFIREWALL_VERBOSE_LIMIT > > > options IPDIVERT > > > Does anyone know why the system will not accept the divert rule? > > Thankyou. > > > J.S. > > > The options seem to be correct, however the error message indicates > > the lack of 'divert' in the kernel. Are you sure you properly > > built and *installed* your custom kernel? Check the output of > > 'dmesg | grep divert', you should see '... divert enabled...', > > otherwise something went wrong with your kernel build. > > > > Thomas > > > > > Thomas, you are right - thankyou. The output of "dmesg | grep > divert" shows that divert is disabled. > kldstat also shows that the loadable module ipfw.ko is loaded which > suggests that that may > be stopping ipfw being loaded in the main kernel (and therefore > divert sockets not being available - > I read this in a post in the archives). No, that would be the other way around. If the firewall is built into the kernel, the module won't load. If you see the module using kldstat, then you're not running the kernel that you think you are. Are you *sure* that you correctly built, and *installed* your custom kernel? 'Install' includes a reboot because that's currently the only way I know of to load the new kernel. I'm not sure if you're running FreeBSD-4.x or FreeBSD-5.x. So, make sure that /kernel (for FreeBSD-4.x) or /boot/kernel (for FreeBSD-5.x) has roughly the same modification time as when you built and installed the kernel. Ian -- Ian Freislich