Thanks, works perfectly now,
Alan
On 08/10/10 18:59, Eugene Grosbein wrote:
On Tue, Aug 10, 2010 at 04:33:02PM +0100, Alan Hicks wrote:
Having upgraded to Release-8.1, there appears to be an issue with
network address translation where a newly booted machine fails to setup
nat with the error 'ipfw: getsockopt(IP_FW_ADD): Invalid argument'
That's because your kernel (GENERIC?) does not have ipdivert support enabled.
That's not fatal, see later.
Box has two interfaces em0 and xl0 (Dell PowerEdge 1600SC)
rc.conf
ifconfig_xl0="inet 192.168.202.5 netmask 255.255.255.0"
ifconfig_em0="inet 192.168.0.2 netmask 255.255.255.0"
defaultrouter="192.168.0.1"
firewall_enable="YES"
firewall_type="open"
firewall_logging="yes"
natd_enable="YES"
natd_interface="em0"
Boot excerpt from console, typed as it does not make it to
/var/log/messages so apologies for any typo's
add net default: gateway 192.168.0.1
Additional routing options: IP gateway=YES
Starting devd.
ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based
forwarding disabled, default to deny, logging disabled
load_dn_sched dn_sched FIFO loaded
load_dn_sched dn_sched QFQ loaded
load_dn_sched dn_sched RR loaded
load_dn_sched dn_sched WF2Q+ loaded
load_dn_sched dn_sched PRIO loaded
flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
ipfw: getsockopt(IP_FW_ADD): Invalid argument
At this point, there is still no ipdivert support loaded.
65000 allow ip from any to any
Firewall rules loaded.
Firewall logging enabled.
Starting natd.
At this point, kernel module ipdivert.ko is loaded.
Loading /lib/libalias_cuseeme.so
Loading /lib/libalias_ftp.so
Loading /lib/libalias_irc.so
Loading /lib/libalias_nbt.so
Loading /lib/libalias_pptp.so
Loading /lib/libalias_skinny.so
Loading /lib/libalias_smedia.so
Aug 10 12:02:53 natd[869]: Aliasing to 192.168.0.2, mtu 1500 bytes
Although all appears to be ok, machines on the xl0 192.168.202.0/24
subnet can't see the internet. Running /etc/rc.firewall manually fixes
the issue.
ipdivert.ko is loaded, hence re-loading firewall rules helps.
The machine was upgraded from 8.0 using unmodified cvs sources using
buildkernel, buildworld, installworld, installkernel mergemaster.
Any help appreciated.
Just load ipdivert.ko earlies by means of loader.conf:
echo 'ipdivert_load="YES"'>> /boot/loader.conf
Alternatively, rebuild kernel with options IPFIREWALL and IPDIVERT
Eugene Grosbein
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
