1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IPFW and nat problem

Discussion in 'Firewalls' started by Criosphinx, Jan 17, 2011.

  1. Criosphinx

    Criosphinx New Member

    Messages:
    12
    Likes Received:
    0
    Hi.

    I don't know what I'am doing wrong but I can't enable NAT at startup, every reboot shows error:
    Code:
    ipfw: getsockopt(IP_FW_ADD): Invalid argument
    
    at the divert line yet I can add the rule once the system has started

    in rc.conf I have:

    Code:
    firewall_enable="YES"
    firewall_type="OPEN"
    gateway_enable="YES"
    natd_enable="YES"
    natd_interface="re0"
    kldstat:

    Code:
    Id Refs Address    Size     Name
     1   17 0xc0400000 bb5384   kernel
     2    2 0xc605b000 11000    ipfw.ko
     3    1 0xc606c000 d000     libalias.ko
     4    1 0xc6119000 4000     ipdivert.ko
     5    1 0xc62e8000 2000     wlan_xauth.ko
     6    1 0xc6371000 68000    radeon.ko
     7    1 0xc63d9000 14000    drm.ko
    
    and dmesg | grep divert

    Code:
    ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based forwarding disabled, default to deny, logging disabled
    
     
  2. rnejdl

    rnejdl New Member

    Messages:
    25
    Likes Received:
    0
    Same NAT issue

    We're you ever able to resolve this as I have the EXACT same issue. This config worked for a while too but somewhere in upgrading to the latest FreeBSD it got broken.

    Thanks!
    Rusty Nejdl
     
  3. Morte

    Morte New Member

    Messages:
    45
    Likes Received:
    0
    This might be a problem if the NAT module hasn't been loaded when ipfw is initializing.

    Try setting ipdivert_load="YES" in /boot/loader.conf
     
  4. Crest

    Crest Member

    Messages:
    117
    Likes Received:
    0
    Load the ipfw_nat.ko kernel module and use in-kernel NAT.

    Code:
    kldload ipfw_nat
    ipfw nat 1 config if re0
    ipfw add nat 1 ip4 from any to any via re0
    
     
  5. rnejdl

    rnejdl New Member

    Messages:
    25
    Likes Received:
    0
    That's what I ended up doing for the ipnat stuff was simply to compile it into the kernel instead of as kernel modules as something is messed up on that as most of my kernel modules just don't load, without any error. NVIDIA, AIO, HTTP_*, VIRTUALBOX, they are just plain skipped.