Looking for some assistance, please:

Working with FSBD 5.1.  On reboot I see the following comment:

...
Enabling ipfilter
ioctl(SIOCIPFL6): Invalid Argument
...

Google is mute on the subject except for listing where this item is used as
a preprocessor directive.

I have modified /etc/rc.d/ipfilter to remove the "-E" startup flag from 3
locations (which cleared up the ipfilter already initialized comments), but
this problem was happening before I made that modification.  I only mention
it because the two issues (the Invalid Argument and the Ipfilter already
initialized comments) may be related.

I have tried turning off ipnat and ipmon in the rc.conf file, but this
persists, leading me to believe the problem is in fact with the ipfilter
command (or setup).

Following is the rc.conf, ip.rules, and modified kernel file I am using:

==============================
/etc/rc.conf:

defaultrouter="192.168.1.10"
hostname="whatever.something.com"
ifconfig_xl0="inet 192.168.1.1  netmask 255.255.255.0"
kern_securelevel_enable="YES"
kern_securelevel="1"
inetd_enable="NO"
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
ipmon_enable="YES"
ipmon_flags="-Dvn /var/log/firewall.log"
sendmail_enable="NONE"
sshd_enable="YES"
usbd_enable="YES"
nfs_server_enable="NO"
nfs_client_enable="NO"
portmap_enable="NO"
syslogd_enable="YES"
syslogd_flags="-ss"
log_in_vain="YES"
accounting_enable="NO"
clear_tmp_enable="YES"
update_motd="NO"
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
tcp_extensions="NO"
tcp_keepalive="YES"
icmp_bmcastecho="NO"
icmp_bandlim="YES"

==============================
/etc/ip.rules:

# Outbound rules
pass out quick on xl0 proto tcp from any to any port = 80 flags S keep frags
keep state
pass out quick on xl0 proto tcp from any to any port = 22 flags S keep frags
keep state
pass out quick on xl0 proto tcp from any to any port = 5999 flags S keep
state
pass out quick on xl0 proto tcp from any to any port = 53 keep state keep
frags
block out quick on xl0 proto igmp all
block out quick on xl0 proto icmp from any to any keep state
block out quick on xl0 from !192.168.1.0/24 to any
block out quick on xl0 from any to 2.0.0.0/8
block out quick on xl0 from any to 5.0.0.0/8
block out quick on xl0 from any to 10.0.0.0/8
block out quick on xl0 from any to 23.0.0.0/8
block out quick on xl0 from any to 27.0.0.0/8
block out quick on xl0 from any to 31.0.0.0/8   
block out quick on xl0 from any to 69.0.0.0/8
block out quick on xl0 from any to 70.0.0.0/7
block out quick on xl0 from any to 72.0.0.0/5
block out quick on xl0 from any to 82.0.0.0/7
block out quick on xl0 from any to 84.0.0.0/6
block out quick on xl0 from any to 88.0.0.0/5
block out quick on xl0 from any to 96.0.0.0/3
block out quick on xl0 from any to 127.0.0.0/8
block out quick on xl0 from any to 128.0.0.0/16
block out quick on xl0 from any to 128.66.0.0/16
block out quick on xl0 from any to 169.254.0.0/16
block out quick on xl0 from any to 172.16.0.0/12
block out quick on xl0 from any to 191.255.0.0/16
block out quick on xl0 from any to 192.0.0.0/19
block out quick on xl0 from any to 192.0.48.0/20
block out quick on xl0 from any to 192.0.64.0/18
block out quick on xl0 from any to 192.0.128.0/17
block out quick on xl0 from any to 192.168.0.0/16
block out quick on xl0 from any to 197.0.0.0/8
block out quick on xl0 from any to 201.0.0.0/8
block out quick on xl0 from any to 204.152.64.0/23
block out quick on xl0 from any to 206.112.0.0/16
block out quick on xl0 from any to 224.0.0.0/3
block out on xl0 all

# Inbound Packet Rules 
pass in quick on xl0 proto tcp from 192.168.1.36 to 192.168.1.227 port = 22
flags S keep frags keep state
block in quick on xl0 proto tcp from any to any port = 10024 keep state
block in quick on xl0 proto icmp from any to any keep state
block in quick on xl0 proto igmp all
block in quick on xl0 all with ipopts
block in quick on xl0 all with frag
block in quick on xl0 all with short
block return-rst in quick on xl0 proto tcp all flags FUP
block return-rst in quick on xl0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in quick on xl0 proto udp from any to
any
block in log quick on xl0 all with opt lsrr
block in log quick on xl0 all with opt ssrr
block in quick on xl0 from 0.0.0.0/7 to any
block in quick on xl0 from 2.0.0.0/8 to any
block in quick on xl0 from 5.0.0.0/8 to any
block in quick on xl0 from 10.0.0.0/8 to any
block in quick on xl0 from 23.0.0.0/8 to any
block in quick on xl0 from 27.0.0.0/8 to any
block in quick on xl0 from 31.0.0.0/8 to any
block in quick on xl0 from 69.0.0.0/8 to any
block in quick on xl0 from 70.0.0.0/7 to any
block in quick on xl0 from 72.0.0.0/5 to any
block in quick on xl0 from 82.0.0.0/7 to any
block in quick on xl0 from 84.0.0.0/6 to any
block in quick on xl0 from 88.0.0.0/5 to any
block in quick on xl0 from 96.0.0.0/3 to any
block in quick on xl0 from 127.0.0.0/8 to any
block in quick on xl0 from 128.0.0.0/16 to any
block in quick on xl0 from 128.66.0.0/16 to any
block in quick on xl0 from 169.254.0.0/16 to any
block in quick on xl0 from 172.17.0.0/12 to any
block in quick on xl0 from 191.255.0.0/16 to any
block in quick on xl0 from 192.0.0.0/19 to any
block in quick on xl0 from 192.0.48.0/20 to any
block in quick on xl0 from 192.0.64.0/18 to any
block in quick on xl0 from 192.0.128.0/17 to any
block in quick on xl0 from 192.168.0.0/16 to any
block in quick on xl0 from 197.0.0.0/8 to any
block in quick on xl0 from 201.0.0.0/8 to any
block in quick on xl0 from 204.152.64.0/23 to any
block in quick on xl0 from 224.0.0.0/3 to any
block in log quick on xl0 all

# Loopback interface
pass in quick on lo0 all
pass out quick on lo0 all

==============================
Kernel config:

machine         i386
cpu                     I686_CPU
ident                   GENERIC
options                 SCHED_4BSD              
options                 INET                    
options                 FFS                     
options                 SOFTUPDATES             
options                 UFS_ACL         
options                 UFS_DIRHASH             
options                 MD_ROOT         
options                 PROCFS          
options                 PSEUDOFS                
options                 COMPAT_43               
options                 COMPAT_FREEBSD4 
options                 SCSI_DELAY=15000        
options                 KTRACE          
options                 SYSVSHM         
options                 SYSVMSG         
options                 SYSVSEM         
options                 _KPOSIX_PRIORITY_SCHEDULING 
options                 KBD_INSTALL_CDEV        
options                 INVARIANT_SUPPORT       
options         TCP_DROP_SYNFIN 
options         SC_DISABLE_DDBKEY
options         SC_DISABLE_REBOOT
options         CPU_ENABLE_SSE
options         CPU_ATHLON_SSE_HACK
options         IPSEC
options         IPSTEALTH
options         IPFILTER
options         IPFILTER_LOG
options         IPFILTER_DEFAULT_BLOCK
device          isa
device          eisa
device          pci
device          ata
device          atadisk 
options         ATA_STATIC_ID
device          atkbdc  
device          atkbd           
device          vga             
device          sc              
device          agp             
device          npx             
device          miibus  
device          xl              
device          random  
device          loop            
device          ether           
device          tun             
device          pty             
device          md              
device          gif             
device          bpf             
device          uhci
device          ohci
device          usb
device          umass
device          scbus
device          da
device          pass


Thank you.


















_______________________________________________________________________
This message was scanned and certified Virus Free by Alexssa | HNet.
www.alexssa.net
www.hnet.net
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to