Cannot use ipfw fwd: [Archive] - The FreeBSD Forums

View Full Version : Cannot use ipfw fwd:

kjkoster

December 28th, 2010, 22:35

Dear All,

While my ipfw firewall works beautifully, I cannot seem to use the ipfw fwd command. It gives me the following error:

# ipfw add 1550 fwd 192.0.32.10,8080 tcp from any to me 8082
ipfw: getsockopt(IP_FW_ADD): Invalid argument

I think I have everything loaded properly:

# kldstat
Id Refs Address Size Name
1 10 0xffffffff80100000 da0610 kernel
2 2 0xffffffff80ea1000 1cd70 ipfw.ko
3 2 0xffffffff80ebe000 140d0 libalias.ko
4 1 0xffffffff81022000 1574 fdescfs.ko
5 1 0xffffffff81024000 1636 ipdivert.ko
# sysctl net.inet.ip.fw
net.inet.ip.fw.static_count: 40
net.inet.ip.fw.default_to_accept: 0
net.inet.ip.fw.tables_max: 128
net.inet.ip.fw.default_rule: 65535
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.verbose: 0
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.enable: 1
net.inet.ip.fw.dyn_keepalive: 1
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_max: 4096
net.inet.ip.fw.dyn_count: 4
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_buckets: 256
# uname -a
FreeBSD www.example.com 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #0: Tue Dec 28 18:39:59 CET 2010 kjkoster@www.example.com:/usr/obj/usr/src/sys/GENERIC amd64

What am I missing?

Kees Jan

DutchDaemon

December 29th, 2010, 04:06

Since you're running a GENERIC kernel, you probably do not have the option IPFIREWALL_FORWARD in there, which is needed. I other words, you will need to compile a custom kernel.

ipfw

To enable fwd a custom kernel needs to be compiled with the
option options IPFIREWALL_FORWARD.

kjkoster

December 29th, 2010, 08:56

Dear DutchDaemon,

Thank you for your quick response. I already knew this and previously I had that option in custom kernels. However, I am trying to move away from custom kernels. Too many different machines and it is a pain to follow GENERIC with every update.

Oh well, I'll just have to script generating an appropriate kernel config.

Is there a reason that this is not a sysctl, but a kernel option? What run-time overhead or potential security issue does IPFIREWALL_FORWARD introduce?

Kees Jan

osman

December 30th, 2010, 16:56

In case you can't go for custom kernel then maybe you should consider using pf.
you won't need to compile kernel to use pf's redirect (rdr) rule.

And the beauty of FreeBSD is that 2 firewalls can co-exist at same time.

Regards
usman

kjkoster

December 31st, 2010, 11:37

Dear osman/usman,

I have enough trouble keeping the scripts clean with one firewall 'helping'. Last thing I need is another layer to add to the confusion. :)

But yeah, I need to look into pf. Thank you for the tip.

Kees Jan