An IPFW problem when going from release to stable on 8.2/ Maybe bge0 network card?

Mon Mar 7 03:00:29 UTC 2011

On Sun, 6 Mar 2011, Dave Johnson wrote:
 > Hi all
 > 
 > 
 > An IPFW problem when going from release to stable on 8.2
 > 
 > An help gladly accepted
 > 
 > LOG ON
 > 
 > Flushed all rules.
 > 00010 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
 > 00030 divert 8668 ip from any to any via bge0
 > ipfw: getsockopt(IP_FW_ADD): Invalid argument
 > 50000 allow ip from any to any
 > Firewall rules loaded.
 > Starting natd.

That error occured when attempting to install the fwd rule below.
Checking with 'ipfw list' should show that rule as missing.

 > rc.conf
 > defaultrouter="192.168.0.1"
 > gateway_enable="YES"
 > hostname="xxx.xxx.xxx"
 > ifconfig_bge0="inet 192.168.0.11 netmask 255.255.255.0"
 > ifconfig_em0="inet 192.168.1.2 netmask 255.255.255.0"
 > keymap="us.iso"
 > moused_enable="YES"
 > sshd_enable="YES"
 > firewall_enable="YES"
 > firewall_script="/etc/rc.firewall"
 > natd_program="/sbin/natd"
 > natd_enable="YES"
 > natd_interface="bge0"
 > natd_flags="-f /etc/natd.conf"
 > dhcpd_enable="NO"
 > dhcpd_flags="-q"
 > dhcpd_conf="/usr/local/etc/dhcpd.conf"
 > dhcpd_ifaces="em0"
 > dhcpd_withumask="022"
 > 
 > natd.conf
 > 
 > interface bge0
 > use_sockets yes
 > same_ports yes
 > log
 > #redirect_port tcp 192.168.1.189:3389 3389
 > #redirect_port tcp 192.168.1.53:5500 5500
 > 
 > #!/bin/sh
 > 
 > /sbin/ipfw -f flush
 > /sbin/ipfw -f pipe flush
 > 
 > 
 > 
 > #Nat Rules
 > /sbin/ipfw add 10 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
 > /sbin/ipfw add 30 divert natd all from any to any via bge0

Don't use 'all' or 'ip' with divert, specify ip4 instead; divert can't 
handle ip6 packets yet, panics have been reported.  See /etc/rc.firewall

 > #Forward to Transparent Proxy Server
 > #/sbin/ipfw add 10001 fwd 127.0.0.1,3128 tcp from any to any 80
 > #/sbin/ipfw add 10010 fwd 127.0.0.1,3128 tcp from 10.0.21.2 to any 80
 > 
 > /sbin/ipfw add 10001 fwd 127.0.0.1,3128 tcp from any to any 80
 > 
 > 
 > /sbin/ipfw add 50000 allow ip from any to any
 > 
 > KERNEL
 > 
 > options IPFIREWALL
 > options IPFIREWALL_VERBOSE
 > options IPFIREWALL_VERBOSE_LIMIT=5
 > options IPFIREWALL_DEFAULT_TO_ACCEPT
 > options IPDIVERT
 > options DUMMYNET

But ipfw(8) sayeth:

            To enable fwd a custom kernel needs to be compiled with the
            option options IPFIREWALL_FORWARD.

cheers, Ian

[ aside: man.cgi is currently broken for 8.2-RELEASE, at least for ipfw.

http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&manpath=FreeBSD+8.2-RELEASE&format=html

reports "Sorry, no data found for `ipfw'. Please try a keyword search."

Selecting 8.1-stable instead works correctly ]