sparc64/54712: ``ipfw: getsockopt(IP_FW_ADD): Bad address'' on
sparc64
Roderick van Domburg
r.s.a.vandomburg at student.utwente.nl
Mon Jul 21 08:00:34 PDT 2003
>Number: 54712
>Category: sparc64
>Synopsis: ``ipfw: getsockopt(IP_FW_ADD): Bad address'' on sparc64
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-sparc64
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jul 21 08:00:31 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Roderick van Domburg
>Release: FreeBSD 5.1-CURRENT sparc64
>Organization:
University of Twente
>Environment:
System: FreeBSD stud187236.mobiel.utwente.nl 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Mon Jul 21 16:15:59 CEST 2003 roderick at stud187236.mobiel.utwente.nl:/usr/obj/usr/src/sys/E250 sparc64
>Description:
After having updated to July 21 sources, ipfw complains when adding
firewall rules: ``ipfw: getsockopt(IP_FW_ADD): Bad address''.
ipfw is loaded as a module in rc.firewall. Relevant rc.firewall,
rc.conf and KERNCONF bits follow.
>How-To-Repeat:
== Relevant rc.firewall bits ==
[Cc][Ll][Ii][Ee][Nn][Tt])
############
# This is a prototype setup that will protect your system somewhat
# against people from outside your own network.
############
# set these to your network and netmask and ip
net="130.89.191.255"
mask="255.255.224.0"
ip="130.89.187.236"
setup_loopback
# Allow any traffic to or from my own net.
${fwcmd} add pass all from ${ip} to ${net}:${mask}
${fwcmd} add pass all from ${net}:${mask} to ${ip}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming secure shells
${fwcmd} add pass tcp from any to ${ip} 22 setup
# Allow setup of incoming email
#${fwcmd} add pass tcp from any to ${ip} 25 setup
# Allow setup of incoming HTTP connections
${fwcmd} add pass tcp from any to ${ip} 80 setup
# Allow setup of outgoing TCP connections only
${fwcmd} add pass tcp from ${ip} to any setup
# Disallow setup of all other TCP connections
${fwcmd} add deny tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${ip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${ip} to any 123 keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
== Relevant rc.conf bits ==
hostname="stud187236.mobiel.utwente.nl"
ifconfig_hme0="inet 130.89.187.236 netmask 255.255.224.0"
defaultrouter="130.89.160.1"
firewall_enable="YES"
firewall_type="client"
== E250 KERNCONF ==
machine sparc64
cpu SUN4U
ident E250
options OFW_NEWPCI
options SCHED_4BSD #4BSD scheduler
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options SOFTUPDATES #Enable FFS soft updates support
options UFS_DIRHASH #Improve performance on big directories
options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
options SCSI_DELAY=5000 #Delay (in ms) before probing SCSI
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
#options _KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions
# Standard busses
device ebus
device pci
# SCSI Controllers
device sym # NCR/Symbios Logic (newer chipsets + those of `ncr')
# SCSI peripherals
device scbus # SCSI bus (required)
device da # Direct Access (disks)
device cd # CD
device ofw_console # OpenBoot firmware console device
# Builtin hardware
device genclock # Generic clock interface
device eeprom # eeprom (really an ebus driver for the MK48Txx)
device "mk48txx" # Mostek MK48T02, MK48T08, MK48T59 clock
# PCI Ethernet NICs that use the common MII bus controller code.
device miibus # MII bus support
device hme # Sun HME (Happy Meal Ethernet)
# Pseudo devices - the number indicates how many units to allocated.
device random # Entropy device
device loop # Network loopback
device ether # Ethernet support
device pty # Pseudo-ttys (telnet etc)
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
device bpf #Berkeley packet filter
# RANDOM_IP_ID causes the ID field in IP packets to be randomized
# instead of incremented by 1 with each packet generated. This
# option closes a minor information leak which allows remote
# observers to determine the rate of packet generation on the
# machine by watching the counter.
options RANDOM_IP_ID
# Statically Link in accept filters
options ACCEPT_FILTER_HTTP
>Fix:
Unknown.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-sparc64
mailing list