From owner-freebsd-hackers Sat Aug 17 23:21:34 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDECA37B400 for ; Sat, 17 Aug 2002 23:21:16 -0700 (PDT) Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AC7743E6A for ; Sat, 17 Aug 2002 23:21:16 -0700 (PDT) (envelope-from knightraven@attbi.com) Received: from quark ([12.224.189.20]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP id <20020818062114.JKMC1186.rwcrmhc52.attbi.com@quark> for ; Sun, 18 Aug 2002 06:21:14 +0000 Message-ID: <002801c2467f$731ebb60$14bde00c@quark> From: "Devon Stark" To: Subject: IPDIVERT, having issues? Date: Sat, 17 Aug 2002 23:20:38 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0023_01C24644.B2282110" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0023_01C24644.B2282110 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Greetings! I am having a problem trying to get IPDIVERT to take.. I have setup my kernel conf to include the following lines options IPFIREWALL options IPDIVERT I have the nic configured and running just fine, for both local LAN and = for internet (both of my NICs are plugged into the same switch for now) My /etc/rc.conf has=20 gateway_enable=3D""YES" firewall_enable=3D"YES" natd_enable=3D"YES" Every time I boot the server I get a message saying that IP Packet = filtering is enabled, along with any other configuration I specified = (logging and such), but divert is always set to disabled!? I have gone to the point of building the kernel with '-DIPDIVERT' and = still getting the same results... The main effect of this problem is of course that I get an error when I = try to apply the following rule to my firewall 'ipfw add divert natd all from any to any via fxp0' The error is... =20 ip_fw_ctl: invalid command ipfw: getsockopt(IP_FW_ADD): Invalid argument I have checked and natd is in the services list and seems to be = configured properly. I have been searching for the answer for about 3 days now with little = luck finding the answer.=20 The only thing I can think of is that there is some other kernel option = that I am enabling that is causing this problem, or perhaps that there = is something that I am missing? I have included my config files here for review...=20 Kernel config file (I striped out all of the comments for the sake of = this post) machine i386 cpu I686_CPU ident THE-SERVER maxusers 256 options MATH_EMULATE =20 options INET =20 options FFS =20 options FFS_ROOT =20 options SOFTUPDATES =20 options UFS_DIRHASH =20 options MFS =20 options MD_ROOT =20 options NFS =20 options NFS_ROOT =20 options MSDOSFS =20 options CD9660 =20 options CD9660_ROOT =20 options PROCFS =20 options COMPAT_43 =20 options SCSI_DELAY=3D1000 =20 options UCONSOLE =20 options USERCONFIG =20 options VISUAL_USERCONFIG =20 options KTRACE =20 options SYSVSHM =20 options SYSVMSG =20 options SYSVSEM =20 options P1003_1B =20 options _KPOSIX_PRIORITY_SCHEDULING options ICMP_BANDLIM =20 options KBD_INSTALL_CDEV =20 options IPFIREWALL options IPDIVERT options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=3D50 options BRIDGE options IPSTEALTH options TCP_DROP_SYNFIN options SMP =20 options APIC_IO =20 device isa device eisa device pci device fdc0 at isa? port IO_FD1 irq 6 drq 2 device fd0 at fdc0 drive 0 device ata0 at isa? port IO_WD1 irq 14 device ata1 at isa? port IO_WD2 irq 15 device ata device atadisk =20 device atapicd =20 device atapifd =20 options ATA_STATIC_ID =20 device ahb =20 device ahc =20 device amd =20 device isp =20 device ncr =20 device sym =20 options SYM_SETUP_LP_PROBE_MAP=3D0x40 device adv0 at isa? device adw device bt0 at isa? device aha0 at isa? device aic0 at isa? device scbus =20 device da =20 device sa =20 device cd =20 device pass =20 device asr =20 device atkbdc0 at isa? port IO_KBD device atkbd0 at atkbdc? irq 1 flags 0x1 device psm0 at atkbdc? irq 12 device vga0 at isa? pseudo-device splash device sc0 at isa? flags 0x100 device npx0 at nexus? port IO_NPX irq 13 device apm0 at nexus? disable flags 0x20=20 device sio0 at isa? port IO_COM1 flags 0x10 irq 4 device sio1 at isa? port IO_COM2 irq 3 device ppc0 at isa? irq 7 device ppbus =20 device lpt =20 device miibus =20 device fxp =20 pseudo-device loop =20 pseudo-device ether =20 pseudo-device pty =20 pseudo-device md =20 pseudo-device bpf =20 device uhci =20 device ohci =20 device usb =20 device ugen =20 device uhid =20 device ukbd =20 device ulpt =20 device umass =20 device ums =20 device uscanner =20 device urio =20 device aue =20 device cue =20 device kue =20 Here is the /etc/rc.conf gateway_enable=3D"YES" inetd_enable=3D"YES" kern_securelevel_enable=3D"NO" linux_enable=3D"YES" moused_enable=3D"NO" nfs_reserved_port_only=3D"YES" sendmail_enable=3D"YES" sshd_enable=3D"YES" usbd_enable=3D"YES" ifconfig_fxp0=3D"DHCP" ifconfig_fxp1=3D"inet 172.17.0.1 netmask 255.255.255.0" hostname=3D"The-Server.KnightRaven.com" firewall_enable=3D"YES" firewall_type=3D"open" firewall_quiet=3D"NO" natd_enable=3D"YES" natd_flags=3D"-f /etc/natd.conf" natd_interface=3D"fxp0" Let me know if there are any other configuration files you need to look = at... Any ideas or help is greatly appreciated! Thank you! Devon ------=_NextPart_000_0023_01C24644.B2282110 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Greetings!
I am having a problem trying to get = IPDIVERT to=20 take..
I have setup my kernel conf to include = the=20 following lines
 
options IPFIREWALL
options IPDIVERT
 
I have the nic configured and running = just fine,=20 for both local LAN and for internet (both of my NICs are plugged into = the same=20 switch for now)
 
My /etc/rc.conf has
gateway_enable=3D""YES"
firewall_enable=3D"YES"
natd_enable=3D"YES"
 
Every time I boot the server I get a = message saying=20 that IP Packet filtering is enabled, along with any other configuration = I=20 specified (logging and such), but divert is always set to=20 disabled!?
I have gone to the point of building = the kernel=20 with '-DIPDIVERT' and still getting the same results...
The main effect of this problem is of = course that I=20 get an error when I try to apply the following rule to my = firewall
 
'ipfw add divert natd all from any to = any via=20 fxp0'
The error is...
 
ip_fw_ctl: invalid command
ipfw: getsockopt(IP_FW_ADD): Invalid=20 argument
 
I have checked and natd is in the = services list and=20 seems to be configured properly.
 
I have been searching for the answer = for about 3=20 days now with little luck finding the answer.
 
The only thing I can think of is that = there is some=20 other kernel option that I am enabling that is causing this problem, or = perhaps=20 that there is something that I am missing?

I have included my config files here for review...
 
Kernel config file (I striped out all of the comments for the sake = of this=20 post)

machine        =20 i386
cpu          &n= bsp; =20 I686_CPU
ident         &n= bsp;=20 THE-SERVER
maxusers       =20 256
options        =20 MATH_EMULATE          &= nbsp;=20
options        =20 INET           &nb= sp;       =20
options        =20 FFS           &nbs= p;        =20
options        =20 FFS_ROOT           = ;    =20
options        =20 SOFTUPDATES          &n= bsp; =20
options        =20 UFS_DIRHASH          &n= bsp; =20
options        =20 MFS           &nbs= p;        =20
options        =20 MD_ROOT           =      =20
options        =20 NFS           &nbs= p;        =20
options        =20 NFS_ROOT           = ;    =20
options        =20 MSDOSFS           =      =20
options        =20 CD9660           &= nbsp;     =20
options        =20 CD9660_ROOT          &n= bsp; =20
options        =20 PROCFS           &= nbsp;     =20
options        =20 COMPAT_43          &nbs= p;   =20
options        =20 SCSI_DELAY=3D1000        =20
options        =20 UCONSOLE           = ;    =20
options        =20 USERCONFIG          &nb= sp;  =20
options        =20 VISUAL_USERCONFIG      =20
options        =20 KTRACE           &= nbsp;     =20
options        =20 SYSVSHM           =      =20
options        =20 SYSVMSG           =      =20
options        =20 SYSVSEM           =      =20
options        =20 P1003_1B           = ;    =20
options        =20 _KPOSIX_PRIORITY_SCHEDULING
options      = ;  =20 ICMP_BANDLIM          &= nbsp;=20
options        =20 KBD_INSTALL_CDEV       =20
options        =20 IPFIREWALL
options        =20 IPDIVERT
options        =20 IPFIREWALL_FORWARD
options       &n= bsp;=20 IPFIREWALL_VERBOSE
options       &n= bsp;=20 IPFIREWALL_VERBOSE_LIMIT=3D50
options     &nb= sp;  =20 BRIDGE
options        =20 IPSTEALTH
options        =20 TCP_DROP_SYNFIN
options        = ;=20 SMP           &nbs= p;        =20
options        =20 APIC_IO           =      =20
device         =20 isa
device         =20 eisa
device         =20 pci
device         =20 fdc0    at isa? port IO_FD1 irq 6 drq=20 2
device         =20 fd0     at fdc0 drive=20 0
device         =20 ata0    at isa? port IO_WD1 irq=20 14
device         =20 ata1    at isa? port IO_WD2 irq=20 15
device         =20 ata
device         =20 atadisk           =      =20
device         =20 atapicd           =      =20
device         =20 atapifd           =      =20
options        =20 ATA_STATIC_ID          = =20
device         =20 ahb           &nbs= p;=20
device         =20 ahc           &nbs= p;=20
device         =20 amd           &nbs= p;=20
device         =20 isp           &nbs= p;=20
device         =20 ncr           &nbs= p;=20
device         =20 sym           &nbs= p;=20
options        =20 SYM_SETUP_LP_PROBE_MAP=3D0x40
device     &nbs= p;   =20 adv0    at=20 isa?
device         =20 adw
device         =20 bt0     at=20 isa?
device         =20 aha0    at=20 isa?
device         =20 aic0    at=20 isa?
device         =20 scbus          =20
device         =20 da            = ; =20
device         =20 sa            = ; =20
device         =20 cd            = ; =20
device         =20 pass           =20
device         =20 asr           &nbs= p;=20
device          atkbdc0 = at isa?=20 port = IO_KBD
device         =20 atkbd0  at atkbdc? irq 1 flags=20 0x1
device         =20 psm0    at atkbdc? irq=20 12
device         =20 vga0    at isa?
pseudo-device  =20 splash
device         =20 sc0     at isa? flags=20 0x100
device         =20 npx0    at nexus? port IO_NPX irq=20 13
device         =20 apm0    at nexus? disable flags 0x20=20
device         =20 sio0    at isa? port IO_COM1 flags 0x10 irq=20 4
device         =20 sio1    at isa? port IO_COM2 irq=20 3
device         =20 ppc0    at isa? irq=20 7
device         =20 ppbus          =20
device         =20 lpt           &nbs= p;=20
device         =20 miibus         =20
device         =20 fxp           &nbs= p;=20
pseudo-device  =20 loop           =20
pseudo-device  =20 ether          =20
pseudo-device  =20 pty           &nbs= p;=20
pseudo-device  =20 md            = ; =20
pseudo-device  =20 bpf           &nbs= p;=20
device         =20 uhci           =20
device         =20 ohci           =20
device         =20 usb           &nbs= p;=20
device         =20 ugen           =20
device         =20 uhid           =20
device         =20 ukbd           =20
device         =20 ulpt           =20
device         =20 umass          =20
device         =20 ums           &nbs= p;=20
device         =20 uscanner       =20
device         =20 urio           =20
device         =20 aue           &nbs= p;=20
device         =20 cue           &nbs= p;=20
device         =20 kue    
 
Here is the /etc/rc.conf
 
gateway_enable=3D"YES"
inetd_enable=3D"YES"
kern_securelevel_e= nable=3D"NO"
linux_enable=3D"YES"
moused_enable=3D"NO"
nfs_reser= ved_port_only=3D"YES"
sendmail_enable=3D"YES"
sshd_enable=3D"YES"usbd_enable=3D"YES"
ifconfig_fxp0=3D"DHCP"
ifconfig_fxp1=3D"inet = 172.17.0.1  netmask=20 255.255.255.0"
hostname=3D"The-Server.KnightRaven.com"
firewall_ena= ble=3D"YES"
firewall_type=3D"open"
firewall_quiet=3D"NO"
natd_en= able=3D"YES"
natd_flags=3D"-f=20 /etc/natd.conf"
natd_interface=3D"fxp0"
 
Let me know if there are any other configuration files you need to = look=20 at...
 
Any ideas or help is greatly appreciated!
 
Thank you!
Devon
 
------=_NextPart_000_0023_01C24644.B2282110-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message