IPDIVERT

Z

zgub

Hello

I'm running FreeBSD/PF as a router/firewall and I need (unfortunately) to implement L7 filtering using ipfw-classifyd as it is implemented within pfsense.

When starting classifyd (compiled from source), I'm getting an error:

ipfw-classifyd: unable to create divert socket: Protocol not supported

I guess, this is due the fact, that the ipdivert module is not loaded, but when I compile new kernel with the IPDIVERT option, or just simple load the module, the network goes down. I have never used ipfw/ipdivert, am I forgetting something?

I'm running custom kernel, but the only additional options are PF and MROUTING.

Thank you

P.
 
I believe once you load the ipfw(4) kernel module (or compile it into your kernel), it automatically adopts the deny all default security policy.

I think when you enable divert(4) by loading the ipdivert kernel module, it will load ipfw(4) module as a dependency and drop all traffic.

You can change this to a default allow all policy by adding net.inet.ip.fw.default_to_accept=1 to /boot/loader.conf.

Obviously firewalls defaulting to allow all it not good security practice, but it's fine if you are also managing traffic with pf(4) at the same time with it using a default deny policy.

Further discussion here:
https://lists.freebsd.org/pipermail/freebsd-net/2014-November/040279.html
 
You must log in or register to reply here.
Back
Top