ipfw loads with forwarding disabled

Jon Falconer jfalconer at puc.edu
Fri Jul 22 01:31:52 GMT 2005 

On Fri, 22 Jul 2005, Abu Khaled wrote:

> On 7/22/05, Jon Falconer <jfalconer at puc.edu> wrote:
> > I'm running FreeBSD 5.4-RELEASE. When I load ipfw.ko I get:
> > 
> > ipfw2 initialized, divert disabled, rule-based forwarding disabled,
> > default to deny, logging disabled
> > 
> > I want to use the forward action in the rule set, logging would be nice
> > too. When I try to add a rule which uses the forward action, I get:
> > 
> > Line 2: getsockopt(IP_FW_ADD): Invalid argument
> > 
> > and line 2 looks similar to:
> > 
> > add 1200 forward ##.##.##.1 src-ip ##.##.##.0/23 in recv dc1
> > 
> > At this point I'm guessing that "rule-based forwarding disabled" has
> > something to do with it no liking my rule. I tried adding "options
> > IPFIREWALL_FORWARD" to the kernel config and rebuilt the kernel. But I
> > still get the same message as above when loading ipfw (kernel module).
> > I've perused all the relevant sections of the handbook that I could find
> > without finding any more clues. What does it take to change the default
> > feature set of the ipfw kernel module? Or do I have to compile it into the
> > kernel to alter this?
> > 
> > Thanks for your suggestions,
> > 
> > Jon
> > 
> 
> What value does sysctl net.inet.ip.forwarding has?
> #sysctl net.inet.ip.forwarding
> 
> -- 
> Regards.
> Abu Khaled
> 

sysctl values:

net.inet.ip.forwarding: 1
net.inet.ip.check_interface: 0
net.inet.ip.fw.enable: 1
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.debug: 1
net.inet.ip.fw.verbose: 1
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 0
net.inet.ip.fw.dyn_max: 4096
net.inet.ip.fw.static_count: 2
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_keepalive: 1

rc.conf values:

firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="/root/fw-rules"
firewall_quiet="NO"
firewall_logging="YES"
firewall_flags=""

--Jon

More information about the freebsd-questions mailing list