Cannot use ipfw fwd:

[kjkoster]

Dear All,

While my ipfw firewall works beautifully, I cannot seem to use the ipfw fwd command. It gives me the following error:

# ipfw add 1550 fwd 192.0.32.10,8080 tcp from any to me 8082
ipfw: getsockopt(IP_FW_ADD): Invalid argument

I think I have everything loaded properly:

# kldstat
Id Refs Address            Size     Name
 1   10 0xffffffff80100000 da0610   kernel
 2    2 0xffffffff80ea1000 1cd70    ipfw.ko
 3    2 0xffffffff80ebe000 140d0    libalias.ko
 4    1 0xffffffff81022000 1574     fdescfs.ko
 5    1 0xffffffff81024000 1636     ipdivert.ko
# sysctl net.inet.ip.fw
net.inet.ip.fw.static_count: 40
net.inet.ip.fw.default_to_accept: 0
net.inet.ip.fw.tables_max: 128
net.inet.ip.fw.default_rule: 65535
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.verbose: 0
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.enable: 1
net.inet.ip.fw.dyn_keepalive: 1
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_max: 4096
net.inet.ip.fw.dyn_count: 4
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_buckets: 256
# uname -a
FreeBSD www.example.com 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #0: Tue Dec 28 18:39:59 CET 2010     kjkoster@www.example.com:/usr/obj/usr/src/sys/GENERIC  amd64

What am I missing?

Kees Jan

 

[DutchDaemon]

Since you're running a GENERIC kernel, you probably do not have the option IPFIREWALL_FORWARD in there, which is needed. I other words, you will need to compile a custom kernel.

ipfw(8)

             To enable fwd a custom kernel needs to be compiled with the
             option options IPFIREWALL_FORWARD.

 

[kjkoster]

Dear DutchDaemon,

Thank you for your quick response. I already knew this and previously I had that option in custom kernels. However, I am trying to move away from custom kernels. Too many different machines and it is a pain to follow GENERIC with every update.

Oh well, I'll just have to script generating an appropriate kernel config.

Is there a reason that this is not a sysctl, but a kernel option? What run-time overhead or potential security issue does IPFIREWALL_FORWARD introduce?

Kees Jan

 

[osman]

In case you can't go for custom kernel then maybe you should consider using pf.
you won't need to compile kernel to use pf's redirect (rdr) rule.

And the beauty of FreeBSD is that 2 firewalls can co-exist at same time.


Regards
usman

 

[kjkoster]

Dear osman/usman,

I have enough trouble keeping the scripts clean with one firewall 'helping'. Last thing I need is another layer to add to the confusion.

But yeah, I need to look into pf. Thank you for the tip.

Kees Jan