workaround for ipfw problem freebsd 8-S after mar-21

Ass.Tec. Matik asstec at
Sun Apr 4 10:45:30 UTC 2010

since this actually also is invalid
ipfw add 65535 deny proto ip
ipfw: getsockopt(IP_FW_ADD): Invalid argument

you need to
ipfw add 65534 deny proto ip
65534 deny ip from any to any

this is a temp workaround if you have problems with ipfw which actually
inserts this two bad rules at the end, independent on what your rules do:

00100     12      728 allow ip from any to any via lo0
00000      0        0  ip from any to any

edit your firewall script and add directly after the flush command, depending
on your default,

if your default setup is to deny:
ipfw add 65534 deny proto ip

ipfw add 65534 pass proto ip

but before _any_ of your rules

if you do not need this rule you can add at the end of your rules:

ipfw delete 65534

depending on your ruleset you might get rid of the "ouch" wining (irrelevant)
but important is that your firewall comes up and will work fine as before

João Martins
Eng.Resp.Helpdesk e Suporte Matik

More information about the freebsd-ipfw mailing list