Date: Sat, 17 Aug 2002 23:20:38 -0700 From: "Devon Stark" <knightraven@attbi.com> To: <FreeBSD-Hackers@freebsd.org> Subject: IPDIVERT, having issues? Message-ID: <002801c2467f$731ebb60$14bde00c@quark>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0023_01C24644.B2282110 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Greetings! I am having a problem trying to get IPDIVERT to take.. I have setup my kernel conf to include the following lines options IPFIREWALL options IPDIVERT I have the nic configured and running just fine, for both local LAN and = for internet (both of my NICs are plugged into the same switch for now) My /etc/rc.conf has=20 gateway_enable=3D""YES" firewall_enable=3D"YES" natd_enable=3D"YES" Every time I boot the server I get a message saying that IP Packet = filtering is enabled, along with any other configuration I specified = (logging and such), but divert is always set to disabled!? I have gone to the point of building the kernel with '-DIPDIVERT' and = still getting the same results... The main effect of this problem is of course that I get an error when I = try to apply the following rule to my firewall 'ipfw add divert natd all from any to any via fxp0' The error is... =20 ip_fw_ctl: invalid command ipfw: getsockopt(IP_FW_ADD): Invalid argument I have checked and natd is in the services list and seems to be = configured properly. I have been searching for the answer for about 3 days now with little = luck finding the answer.=20 The only thing I can think of is that there is some other kernel option = that I am enabling that is causing this problem, or perhaps that there = is something that I am missing? I have included my config files here for review...=20 Kernel config file (I striped out all of the comments for the sake of = this post) machine i386 cpu I686_CPU ident THE-SERVER maxusers 256 options MATH_EMULATE =20 options INET =20 options FFS =20 options FFS_ROOT =20 options SOFTUPDATES =20 options UFS_DIRHASH =20 options MFS =20 options MD_ROOT =20 options NFS =20 options NFS_ROOT =20 options MSDOSFS =20 options CD9660 =20 options CD9660_ROOT =20 options PROCFS =20 options COMPAT_43 =20 options SCSI_DELAY=3D1000 =20 options UCONSOLE =20 options USERCONFIG =20 options VISUAL_USERCONFIG =20 options KTRACE =20 options SYSVSHM =20 options SYSVMSG =20 options SYSVSEM =20 options P1003_1B =20 options _KPOSIX_PRIORITY_SCHEDULING options ICMP_BANDLIM =20 options KBD_INSTALL_CDEV =20 options IPFIREWALL options IPDIVERT options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=3D50 options BRIDGE options IPSTEALTH options TCP_DROP_SYNFIN options SMP =20 options APIC_IO =20 device isa device eisa device pci device fdc0 at isa? port IO_FD1 irq 6 drq 2 device fd0 at fdc0 drive 0 device ata0 at isa? port IO_WD1 irq 14 device ata1 at isa? port IO_WD2 irq 15 device ata device atadisk =20 device atapicd =20 device atapifd =20 options ATA_STATIC_ID =20 device ahb =20 device ahc =20 device amd =20 device isp =20 device ncr =20 device sym =20 options SYM_SETUP_LP_PROBE_MAP=3D0x40 device adv0 at isa? device adw device bt0 at isa? device aha0 at isa? device aic0 at isa? device scbus =20 device da =20 device sa =20 device cd =20 device pass =20 device asr =20 device atkbdc0 at isa? port IO_KBD device atkbd0 at atkbdc? irq 1 flags 0x1 device psm0 at atkbdc? irq 12 device vga0 at isa? pseudo-device splash device sc0 at isa? flags 0x100 device npx0 at nexus? port IO_NPX irq 13 device apm0 at nexus? disable flags 0x20=20 device sio0 at isa? port IO_COM1 flags 0x10 irq 4 device sio1 at isa? port IO_COM2 irq 3 device ppc0 at isa? irq 7 device ppbus =20 device lpt =20 device miibus =20 device fxp =20 pseudo-device loop =20 pseudo-device ether =20 pseudo-device pty =20 pseudo-device md =20 pseudo-device bpf =20 device uhci =20 device ohci =20 device usb =20 device ugen =20 device uhid =20 device ukbd =20 device ulpt =20 device umass =20 device ums =20 device uscanner =20 device urio =20 device aue =20 device cue =20 device kue =20 Here is the /etc/rc.conf gateway_enable=3D"YES" inetd_enable=3D"YES" kern_securelevel_enable=3D"NO" linux_enable=3D"YES" moused_enable=3D"NO" nfs_reserved_port_only=3D"YES" sendmail_enable=3D"YES" sshd_enable=3D"YES" usbd_enable=3D"YES" ifconfig_fxp0=3D"DHCP" ifconfig_fxp1=3D"inet 172.17.0.1 netmask 255.255.255.0" hostname=3D"The-Server.KnightRaven.com" firewall_enable=3D"YES" firewall_type=3D"open" firewall_quiet=3D"NO" natd_enable=3D"YES" natd_flags=3D"-f /etc/natd.conf" natd_interface=3D"fxp0" Let me know if there are any other configuration files you need to look = at... Any ideas or help is greatly appreciated! Thank you! Devon ------=_NextPart_000_0023_01C24644.B2282110 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#cacaca> <DIV><FONT face=3DArial size=3D2>Greetings!</FONT></DIV> <DIV><FONT face=3DArial size=3D2>I am having a problem trying to get = IPDIVERT to=20 take..</FONT></DIV> <DIV><FONT face=3DArial size=3D2>I have setup my kernel conf to include = the=20 following lines</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>options IPFIREWALL</FONT></DIV> <DIV><FONT face=3DArial size=3D2>options IPDIVERT</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I have the nic configured and running = just fine,=20 for both local LAN and for internet (both of my NICs are plugged into = the same=20 switch for now)</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>My /etc/rc.conf has </FONT></DIV> <DIV><FONT face=3DArial size=3D2>gateway_enable=3D""YES"</FONT></DIV> <DIV><FONT face=3DArial size=3D2>firewall_enable=3D"YES"</FONT></DIV> <DIV><FONT face=3DArial size=3D2>natd_enable=3D"YES"</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Every time I boot the server I get a = message saying=20 that IP Packet filtering is enabled, along with any other configuration = I=20 specified (logging and such), but divert is always set to=20 disabled!?</FONT></DIV> <DIV><FONT face=3DArial size=3D2>I have gone to the point of building = the kernel=20 with '-DIPDIVERT' and still getting the same results...</FONT></DIV> <DIV><FONT face=3DArial size=3D2>The main effect of this problem is of = course that I=20 get an error when I try to apply the following rule to my = firewall</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>'ipfw add divert natd all from any to = any via=20 fxp0'</FONT></DIV> <DIV><FONT face=3DArial size=3D2>The error is...</FONT></DIV> <DIV><FONT face=3DArial size=3D2> </FONT></DIV> <DIV><FONT face=3DArial size=3D2>ip_fw_ctl: invalid command</FONT></DIV> <DIV><FONT face=3DArial size=3D2>ipfw: getsockopt(IP_FW_ADD): Invalid=20 argument</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I have checked and natd is in the = services list and=20 seems to be configured properly.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I have been searching for the answer = for about 3=20 days now with little luck finding the answer. </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>The only thing I can think of is that = there is some=20 other kernel option that I am enabling that is causing this problem, or = perhaps=20 that there is something that I am missing?</FONT></DIV><FONT = face=3DArial size=3D2> <DIV><BR>I have included my config files here for review... </DIV> <DIV> </DIV> <DIV>Kernel config file (I striped out all of the comments for the sake = of this=20 post)</DIV> <DIV><BR>machine =20 i386<BR>cpu &n= bsp; =20 I686_CPU<BR>ident &n= bsp;=20 THE-SERVER<BR>maxusers =20 256<BR>options =20 MATH_EMULATE &= nbsp;=20 <BR>options =20 INET &nb= sp; =20 <BR>options =20 FFS &nbs= p; =20 <BR>options =20 FFS_ROOT  = ; =20 <BR>options =20 SOFTUPDATES &n= bsp; =20 <BR>options =20 UFS_DIRHASH &n= bsp; =20 <BR>options =20 MFS &nbs= p; =20 <BR>options =20 MD_ROOT = =20 <BR>options =20 NFS &nbs= p; =20 <BR>options =20 NFS_ROOT  = ; =20 <BR>options =20 MSDOSFS = =20 <BR>options =20 CD9660 &= nbsp; =20 <BR>options =20 CD9660_ROOT &n= bsp; =20 <BR>options =20 PROCFS &= nbsp; =20 <BR>options =20 COMPAT_43 &nbs= p; =20 <BR>options =20 SCSI_DELAY=3D1000 =20 <BR>options =20 UCONSOLE  = ; =20 <BR>options =20 USERCONFIG &nb= sp; =20 <BR>options =20 VISUAL_USERCONFIG =20 <BR>options =20 KTRACE &= nbsp; =20 <BR>options =20 SYSVSHM = =20 <BR>options =20 SYSVMSG = =20 <BR>options =20 SYSVSEM = =20 <BR>options =20 P1003_1B  = ; =20 <BR>options =20 _KPOSIX_PRIORITY_SCHEDULING<BR>options  = ; =20 ICMP_BANDLIM &= nbsp;=20 <BR>options =20 KBD_INSTALL_CDEV =20 <BR>options =20 IPFIREWALL<BR>options =20 IPDIVERT<BR>options =20 IPFIREWALL_FORWARD<BR>options &n= bsp;=20 IPFIREWALL_VERBOSE<BR>options &n= bsp;=20 IPFIREWALL_VERBOSE_LIMIT=3D50<BR>options &nb= sp; =20 BRIDGE<BR>options =20 IPSTEALTH<BR>options =20 TCP_DROP_SYNFIN<BR>options  = ;=20 SMP &nbs= p; =20 <BR>options =20 APIC_IO = =20 <BR>device =20 isa<BR>device =20 eisa<BR>device =20 pci<BR>device =20 fdc0 at isa? port IO_FD1 irq 6 drq=20 2<BR>device =20 fd0 at fdc0 drive=20 0<BR>device =20 ata0 at isa? port IO_WD1 irq=20 14<BR>device =20 ata1 at isa? port IO_WD2 irq=20 15<BR>device =20 ata<BR>device =20 atadisk = =20 <BR>device =20 atapicd = =20 <BR>device =20 atapifd = =20 <BR>options =20 ATA_STATIC_ID = =20 <BR>device =20 ahb &nbs= p;=20 <BR>device =20 ahc &nbs= p;=20 <BR>device =20 amd &nbs= p;=20 <BR>device =20 isp &nbs= p;=20 <BR>device =20 ncr &nbs= p;=20 <BR>device =20 sym &nbs= p;=20 <BR>options =20 SYM_SETUP_LP_PROBE_MAP=3D0x40<BR>device &nbs= p; =20 adv0 at=20 isa?<BR>device =20 adw<BR>device =20 bt0 at=20 isa?<BR>device =20 aha0 at=20 isa?<BR>device =20 aic0 at=20 isa?<BR>device =20 scbus =20 <BR>device =20 da  = ; =20 <BR>device =20 sa  = ; =20 <BR>device =20 cd  = ; =20 <BR>device =20 pass =20 <BR>device =20 asr &nbs= p;=20 <BR>device atkbdc0 = at isa?=20 port = IO_KBD<BR>device =20 atkbd0 at atkbdc? irq 1 flags=20 0x1<BR>device =20 psm0 at atkbdc? irq=20 12<BR>device =20 vga0 at isa?<BR>pseudo-device =20 splash<BR>device =20 sc0 at isa? flags=20 0x100<BR>device =20 npx0 at nexus? port IO_NPX irq=20 13<BR>device =20 apm0 at nexus? disable flags 0x20=20 <BR>device =20 sio0 at isa? port IO_COM1 flags 0x10 irq=20 4<BR>device =20 sio1 at isa? port IO_COM2 irq=20 3<BR>device =20 ppc0 at isa? irq=20 7<BR>device =20 ppbus =20 <BR>device =20 lpt &nbs= p;=20 <BR>device =20 miibus =20 <BR>device =20 fxp &nbs= p;=20 <BR>pseudo-device =20 loop =20 <BR>pseudo-device =20 ether =20 <BR>pseudo-device =20 pty &nbs= p;=20 <BR>pseudo-device =20 md  = ; =20 <BR>pseudo-device =20 bpf &nbs= p;=20 <BR>device =20 uhci =20 <BR>device =20 ohci =20 <BR>device =20 usb &nbs= p;=20 <BR>device =20 ugen =20 <BR>device =20 uhid =20 <BR>device =20 ukbd =20 <BR>device =20 ulpt =20 <BR>device =20 umass =20 <BR>device =20 ums &nbs= p;=20 <BR>device =20 uscanner =20 <BR>device =20 urio =20 <BR>device =20 aue &nbs= p;=20 <BR>device =20 cue &nbs= p;=20 <BR>device =20 kue </DIV> <DIV> </DIV> <DIV>Here is the /etc/rc.conf</DIV> <DIV> </DIV> <DIV>gateway_enable=3D"YES"<BR>inetd_enable=3D"YES"<BR>kern_securelevel_e= nable=3D"NO"<BR>linux_enable=3D"YES"<BR>moused_enable=3D"NO"<BR>nfs_reser= ved_port_only=3D"YES"<BR>sendmail_enable=3D"YES"<BR>sshd_enable=3D"YES"<B= R>usbd_enable=3D"YES"<BR>ifconfig_fxp0=3D"DHCP"<BR>ifconfig_fxp1=3D"inet = 172.17.0.1 netmask=20 255.255.255.0"<BR>hostname=3D"The-Server.KnightRaven.com"<BR>firewall_ena= ble=3D"YES"<BR>firewall_type=3D"open"<BR>firewall_quiet=3D"NO"<BR>natd_en= able=3D"YES"<BR>natd_flags=3D"-f=20 /etc/natd.conf"<BR>natd_interface=3D"fxp0"</DIV> <DIV> </DIV> <DIV>Let me know if there are any other configuration files you need to = look=20 at...</DIV> <DIV> </DIV> <DIV>Any ideas or help is greatly appreciated!</DIV> <DIV> </DIV> <DIV>Thank you!</DIV> <DIV>Devon</DIV> <DIV></FONT> </DIV></BODY></HTML> ------=_NextPart_000_0023_01C24644.B2282110-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002801c2467f$731ebb60$14bde00c>