From ipfw to pf

[jos3ph]

Hi, I'm currently using ipfw on Freebsd9.1 FreeBSD 9.1 but I'm getting some problems to make it work.

This is my relevant part of rc.conf:

firewall_enable="YES"
firewall_script="/etc/firewall.rules"

And this is /etc/firewall.rules:

ipfw -f flush
ipfw add 60000 fwd localhost,3128 ip from any to any via gre0 in
ipfw add 60500 allow ip from any to any

But IPFIREWALL returns an error on the second line

ipfw add 60000 fwd localhost,3128 ip from any to any via gre0 in

ipfw: getsockopt(IP_FW_ADD): Invalid argument
ipfw: opcode 86, unknown opcode

In my kernel I have configured this options:

options         IPFIREWALL      # firewall
options         IPFIREWALL_FORWARD      # Enable transparent proxy support

Can someone help me with this error? Alternatively, how can I translate those rules with pf?

Many thanks in advance!

 

[kpa]

Something like this:

rdr pass on gre0 inet from any to any  -> localhost port 3128

 

[phoenix]

You have an extra in at the end of the second line. Remove it.

 

[jos3ph]

You have an extra in at the end of the second line. Remove it.

That was not the problem, I changed that line to

ipfw add 60000 fwd 192.168.1.1,3128 ip from any to any via gre0 in

And now it works!!!! But I cannot understand why!!!!

This is my /etc/hosts:

# $FreeBSD: release/9.1.0/etc/hosts 109997 2003-01-28 21:29:23Z dbaker $
#
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file.  Replace 'my.domain' below with the domainname of your
# machine.
#
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain
192.168.1.1             SRV-PROXY SRV-PROXY.testdomain.local
#
# Imaginary network.
#10.0.0.2               myname.my.domain myname
#10.0.0.3               myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
#       10.0.0.0        -   10.255.255.255
#       172.16.0.0      -   172.31.255.255
#       192.168.0.0     -   192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers.  Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
#

Any idea?

manager@SRV-PROXY 7:27 [/home/manager]%ping localhost
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.030 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.045 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.046 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.044 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.029 ms
64 bytes from 127.0.0.1: icmp_seq=5 ttl=64 time=0.038 ms
64 bytes from 127.0.0.1: icmp_seq=6 ttl=64 time=0.049 ms
64 bytes from 127.0.0.1: icmp_seq=7 ttl=64 time=0.042 ms
^C
--- localhost ping statistics ---
8 packets transmitted, 8 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.029/0.040/0.049/0.007 ms
manager@SRV-PROXY 7:29 [/home/manager]%

 

[chrisp]

ipfw: getsockopt(IP_FW_ADD): Invalid argument
ipfw: opcode 86, unknown opcode

I came across this error today. It occurs when a hostname resolves to an IPV6 address but there is no IPV6 support in the kernel. Commenting out the '::1' for localhost in your /etc/hosts file should resolve the issue.

 

[jos3ph]

I came across this error today. It occurs when a hostname resolves to an IPV6 address but there is no IPV6 support in the kernel. Commenting out the '::1' for localhost in your /etc/hosts file should resolve the issue.

Thank you very much @chrisp!