Date: Sat, 17 Aug 2002 23:20:38 -0700 From: "Devon Stark" <knightraven@attbi.com> To: <FreeBSD-Hackers@freebsd.org> Subject: IPDIVERT, having issues? Message-ID: <002801c2467f$731ebb60$14bde00c@quark>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Greetings! I am having a problem trying to get IPDIVERT to take.. I have setup my kernel conf to include the following lines options IPFIREWALL options IPDIVERT I have the nic configured and running just fine, for both local LAN and for internet (both of my NICs are plugged into the same switch for now) My /etc/rc.conf has gateway_enable=""YES" firewall_enable="YES" natd_enable="YES" Every time I boot the server I get a message saying that IP Packet filtering is enabled, along with any other configuration I specified (logging and such), but divert is always set to disabled!? I have gone to the point of building the kernel with '-DIPDIVERT' and still getting the same results... The main effect of this problem is of course that I get an error when I try to apply the following rule to my firewall 'ipfw add divert natd all from any to any via fxp0' The error is... ip_fw_ctl: invalid command ipfw: getsockopt(IP_FW_ADD): Invalid argument I have checked and natd is in the services list and seems to be configured properly. I have been searching for the answer for about 3 days now with little luck finding the answer. The only thing I can think of is that there is some other kernel option that I am enabling that is causing this problem, or perhaps that there is something that I am missing? I have included my config files here for review... Kernel config file (I striped out all of the comments for the sake of this post) machine i386 cpu I686_CPU ident THE-SERVER maxusers 256 options MATH_EMULATE options INET options FFS options FFS_ROOT options SOFTUPDATES options UFS_DIRHASH options MFS options MD_ROOT options NFS options NFS_ROOT options MSDOSFS options CD9660 options CD9660_ROOT options PROCFS options COMPAT_43 options SCSI_DELAY=1000 options UCONSOLE options USERCONFIG options VISUAL_USERCONFIG options KTRACE options SYSVSHM options SYSVMSG options SYSVSEM options P1003_1B options _KPOSIX_PRIORITY_SCHEDULING options ICMP_BANDLIM options KBD_INSTALL_CDEV options IPFIREWALL options IPDIVERT options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=50 options BRIDGE options IPSTEALTH options TCP_DROP_SYNFIN options SMP options APIC_IO device isa device eisa device pci device fdc0 at isa? port IO_FD1 irq 6 drq 2 device fd0 at fdc0 drive 0 device ata0 at isa? port IO_WD1 irq 14 device ata1 at isa? port IO_WD2 irq 15 device ata device atadisk device atapicd device atapifd options ATA_STATIC_ID device ahb device ahc device amd device isp device ncr device sym options SYM_SETUP_LP_PROBE_MAP=0x40 device adv0 at isa? device adw device bt0 at isa? device aha0 at isa? device aic0 at isa? device scbus device da device sa device cd device pass device asr device atkbdc0 at isa? port IO_KBD device atkbd0 at atkbdc? irq 1 flags 0x1 device psm0 at atkbdc? irq 12 device vga0 at isa? pseudo-device splash device sc0 at isa? flags 0x100 device npx0 at nexus? port IO_NPX irq 13 device apm0 at nexus? disable flags 0x20 device sio0 at isa? port IO_COM1 flags 0x10 irq 4 device sio1 at isa? port IO_COM2 irq 3 device ppc0 at isa? irq 7 device ppbus device lpt device miibus device fxp pseudo-device loop pseudo-device ether pseudo-device pty pseudo-device md pseudo-device bpf device uhci device ohci device usb device ugen device uhid device ukbd device ulpt device umass device ums device uscanner device urio device aue device cue device kue Here is the /etc/rc.conf gateway_enable="YES" inetd_enable="YES" kern_securelevel_enable="NO" linux_enable="YES" moused_enable="NO" nfs_reserved_port_only="YES" sendmail_enable="YES" sshd_enable="YES" usbd_enable="YES" ifconfig_fxp0="DHCP" ifconfig_fxp1="inet 172.17.0.1 netmask 255.255.255.0" hostname="The-Server.KnightRaven.com" firewall_enable="YES" firewall_type="open" firewall_quiet="NO" natd_enable="YES" natd_flags="-f /etc/natd.conf" natd_interface="fxp0" Let me know if there are any other configuration files you need to look at... Any ideas or help is greatly appreciated! Thank you! Devon [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 6.00.2716.2200" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#cacaca> <DIV><FONT face=Arial size=2>Greetings!</FONT></DIV> <DIV><FONT face=Arial size=2>I am having a problem trying to get IPDIVERT to take..</FONT></DIV> <DIV><FONT face=Arial size=2>I have setup my kernel conf to include the following lines</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>options IPFIREWALL</FONT></DIV> <DIV><FONT face=Arial size=2>options IPDIVERT</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>I have the nic configured and running just fine, for both local LAN and for internet (both of my NICs are plugged into the same switch for now)</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>My /etc/rc.conf has </FONT></DIV> <DIV><FONT face=Arial size=2>gateway_enable=""YES"</FONT></DIV> <DIV><FONT face=Arial size=2>firewall_enable="YES"</FONT></DIV> <DIV><FONT face=Arial size=2>natd_enable="YES"</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>Every time I boot the server I get a message saying that IP Packet filtering is enabled, along with any other configuration I specified (logging and such), but divert is always set to disabled!?</FONT></DIV> <DIV><FONT face=Arial size=2>I have gone to the point of building the kernel with '-DIPDIVERT' and still getting the same results...</FONT></DIV> <DIV><FONT face=Arial size=2>The main effect of this problem is of course that I get an error when I try to apply the following rule to my firewall</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>'ipfw add divert natd all from any to any via fxp0'</FONT></DIV> <DIV><FONT face=Arial size=2>The error is...</FONT></DIV> <DIV><FONT face=Arial size=2> </FONT></DIV> <DIV><FONT face=Arial size=2>ip_fw_ctl: invalid command</FONT></DIV> <DIV><FONT face=Arial size=2>ipfw: getsockopt(IP_FW_ADD): Invalid argument</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>I have checked and natd is in the services list and seems to be configured properly.</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>I have been searching for the answer for about 3 days now with little luck finding the answer. </FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>The only thing I can think of is that there is some other kernel option that I am enabling that is causing this problem, or perhaps that there is something that I am missing?</FONT></DIV><FONT face=Arial size=2> <DIV><BR>I have included my config files here for review... </DIV> <DIV> </DIV> <DIV>Kernel config file (I striped out all of the comments for the sake of this post)</DIV> <DIV><BR>machine i386<BR>cpu I686_CPU<BR>ident THE-SERVER<BR>maxusers 256<BR>options MATH_EMULATE <BR>options INET <BR>options FFS <BR>options FFS_ROOT <BR>options SOFTUPDATES <BR>options UFS_DIRHASH <BR>options MFS <BR>options MD_ROOT <BR>options NFS <BR>options NFS_ROOT <BR>options MSDOSFS <BR>options CD9660 <BR>options CD9660_ROOT <BR>options PROCFS <BR>options COMPAT_43 <BR>options SCSI_DELAY=1000 <BR>options UCONSOLE <BR>options USERCONFIG <BR>options VISUAL_USERCONFIG <BR>options KTRACE <BR>options SYSVSHM <BR>options SYSVMSG <BR>options SYSVSEM <BR>options P1003_1B <BR>options _KPOSIX_PRIORITY_SCHEDULING<BR>options ICMP_BANDLIM <BR>options KBD_INSTALL_CDEV <BR>options IPFIREWALL<BR>options IPDIVERT<BR>options IPFIREWALL_FORWARD<BR>options IPFIREWALL_VERBOSE<BR>options IPFIREWALL_VERBOSE_LIMIT=50<BR>options BRIDGE<BR>options IPSTEALTH<BR>options TCP_DROP_SYNFIN<BR>options SMP <BR>options APIC_IO <BR>device isa<BR>device eisa<BR>device pci<BR>device fdc0 at isa? port IO_FD1 irq 6 drq 2<BR>device fd0 at fdc0 drive 0<BR>device ata0 at isa? port IO_WD1 irq 14<BR>device ata1 at isa? port IO_WD2 irq 15<BR>device ata<BR>device atadisk <BR>device atapicd <BR>device atapifd <BR>options ATA_STATIC_ID <BR>device ahb <BR>device ahc <BR>device amd <BR>device isp <BR>device ncr <BR>device sym <BR>options SYM_SETUP_LP_PROBE_MAP=0x40<BR>device adv0 at isa?<BR>device adw<BR>device bt0 at isa?<BR>device aha0 at isa?<BR>device aic0 at isa?<BR>device scbus <BR>device da <BR>device sa <BR>device cd <BR>device pass <BR>device asr <BR>device atkbdc0 at isa? port IO_KBD<BR>device atkbd0 at atkbdc? irq 1 flags 0x1<BR>device psm0 at atkbdc? irq 12<BR>device vga0 at isa?<BR>pseudo-device splash<BR>device sc0 at isa? flags 0x100<BR>device npx0 at nexus? port IO_NPX irq 13<BR>device apm0 at nexus? disable flags 0x20 <BR>device sio0 at isa? port IO_COM1 flags 0x10 irq 4<BR>device sio1 at isa? port IO_COM2 irq 3<BR>device ppc0 at isa? irq 7<BR>device ppbus <BR>device lpt <BR>device miibus <BR>device fxp <BR>pseudo-device loop <BR>pseudo-device ether <BR>pseudo-device pty <BR>pseudo-device md <BR>pseudo-device bpf <BR>device uhci <BR>device ohci <BR>device usb <BR>device ugen <BR>device uhid <BR>device ukbd <BR>device ulpt <BR>device umass <BR>device ums <BR>device uscanner <BR>device urio <BR>device aue <BR>device cue <BR>device kue </DIV> <DIV> </DIV> <DIV>Here is the /etc/rc.conf</DIV> <DIV> </DIV> <DIV>gateway_enable="YES"<BR>inetd_enable="YES"<BR>kern_securelevel_enable="NO"<BR>linux_enable="YES"<BR>moused_enable="NO"<BR>nfs_reserved_port_only="YES"<BR>sendmail_enable="YES"<BR>sshd_enable="YES"<BR>usbd_enable="YES"<BR>ifconfig_fxp0="DHCP"<BR>ifconfig_fxp1="inet 172.17.0.1 netmask 255.255.255.0"<BR>hostname="The-Server.KnightRaven.com"<BR>firewall_enable="YES"<BR>firewall_type="open"<BR>firewall_quiet="NO"<BR>natd_enable="YES"<BR>natd_flags="-f /etc/natd.conf"<BR>natd_interface="fxp0"</DIV> <DIV> </DIV> <DIV>Let me know if there are any other configuration files you need to look at...</DIV> <DIV> </DIV> <DIV>Any ideas or help is greatly appreciated!</DIV> <DIV> </DIV> <DIV>Thank you!</DIV> <DIV>Devon</DIV> <DIV></FONT> </DIV></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002801c2467f$731ebb60$14bde00c>