IPFW IPFW kernel build

HI all
I've seen it posted here a few times, but nothing like what I am experiencing.
When trying to build my own kernel I am getting the following error message.

Code:
root@pinky3:/usr/src # make buildkernel KERNCONF=MYKERNEL
make[1]: "/usr/src/Makefile.inc1" line 341: SYSTEM_COMPILER: Determined that CC=cc matches the source tree.  Not bootstrapping a cross-compiler.
make[1]: "/usr/src/Makefile.inc1" line 346: SYSTEM_LINKER: Determined that LD=ld matches the source tree.  Not bootstrapping a cross-linker.
make[1]: "/usr/src/Makefile.inc1" line 1518: Missing KERNCONF /usr/src/sys/amd64/conf/MYKERNEL
*** Error code 1

Stop.
make: stopped in /usr/src

I am using FreeBSD 12.0-release-p3
I have followed the man pages on this site, using the
/usr/src/sys/amd64/conf
directory instead of the i386

I have installed another FreeBSD machine the same and it builds fine.
Not sure where to go?

Thanks for your thoughts.

Alex
 
You don't need to build a kernel to enable IPFW.

The kernel config file should be stored in /usr/src/sys/`uname -p`/conf/, which is /usr/src/sys/amd64/conf/ for AMD64 and /usr/src/sys/i386/conf/ for i386.
 
My other firewall crashed and am needing to put it back to the way it was.
I was able to divert traffic on my older setup, and I cannot seem to be able to do that without rebuilding the Kernel.

If I don't need to rebuild to get that functionality, I am all ears ;)

Alex
 
See ipfw(4):
Code:
     To load the driver as a module at boot time, add the following line into
     the loader.conf(5) file:

           ipfw_load="YES"

divert(4):
Code:
     Alternatively, to load the driver as a module at boot time, add the
     following lines into the loader.conf(5) file:

           ipfw_load="YES"
           ipdivert_load="YES"
 
This didn't work.
I am wondering if my lines are messed up
C-like:
#!/bin/sh

# Flush out the list before we begin
ipfw -q -f flush
# Set rules command prefix
#fwcmd="ipfw -q add"
# Populate table1 from a file
#cat /usr/local/etc/ipfw.table1 | xargs -n1 ipfw table 1 add
ipfw add 0010 allow all from any to any

ipfw add 100 allow ip from any to any via lo0
ipfw add 200 deny ip from any to 127.0.0.0/8
ipfw add 300 deny ip from 127.0.0.0/8 to any

# Allow packets for which a state has been build
#ipfw add 1100 check-state
ipfw add 1320 deny tcp from any to any 137 in via re0
ipfw add 1321 deny tcp from any to any 138 in via re0
ipfw add 1322 deny tcp from any to any 139 in via re0
ipfw add 1323 deny tcp from any to any 81 in via re0
ipfw add 1324 deny tcp from any to any 1433 in via re0
ipfw add 1351 drop tcp from any to any 3389 in via em0
ipfw add 1352 drop udp from any to any 3389 in via em0

ipfw add 65000 count ip from any to any

#ipfw add 65001 allow ip from any to any

I was trying to get some response with line 1351 and 1352.

I also got this result when testing the divert with the command dmesg | grep divert
Code:
ipfw2 (+ipv6) initialized, divert loadable, nat loadable, default to deny, logging disabled

Thoughts?
Alex
 
So, what is your exact problem?
Are you having trouble building from source? Or is there something wrong with your IPFW configuration?

To enable IPFW, you can add the specified entries in loader.conf although the (only slightly) preferred method is firewall_enable="YES" in rc.conf.
To enable ipdivert you can add natd_enable="YES" in rc.conf (only works if you also set firewall_enable="YES").

As a first scan of your IPFW ruleset I can see that its a very easy firewall with one rule: "allow all from any to any" at 0010. Is this leftover from testing?
 
Last edited:
Back
Top