[FUG-BR] IPFW + fwd = getsockopt(IP_FW_ADD): Invalid argument

Segunda Outubro 26 10:12:47 BRST 2009

2009/10/26 Alexandre Proença <alexandre em levier.com.br>

> Bom dia a todos da lista,
> Alterei meu banco de dados mysql para outro servidor, para nao ter que
> mudar em minhas aplicações que sao muitas o endereço de conexão do
> banco, tive a ideia de fazer um port-forwarding no meu server antigo
> então teoricamente tudo que chega na porta 3306 do meu servidor antigo
> ele repassaria para a mesma porta de meu novo servidor, porem estou com
> uma mensagem de erro na hora de aplicar a regra de fwd, seguem abaixo as
> informações pertinetes
>
> *FreeBSD venus.xxxxxxx.com.br 7.2-RELEASE FreeBSD 7.2-RELEASE*
>
> *[root em venus /etc/rc.d]# sysctl -a | grep net.inet.ip*
> net.inet.ip.portrange.randomtime: 45
> net.inet.ip.portrange.randomcps: 10
> net.inet.ip.portrange.randomized: 1
> net.inet.ip.portrange.reservedlow: 0
> net.inet.ip.portrange.reservedhigh: 1023
> net.inet.ip.portrange.hilast: 65535
> net.inet.ip.portrange.hifirst: 49152
> net.inet.ip.portrange.last: 65535
> net.inet.ip.portrange.first: 49152
> net.inet.ip.portrange.lowlast: 600
> net.inet.ip.portrange.lowfirst: 1023
> net.inet.ip.forwarding: 1
> net.inet.ip.redirect: 1
> net.inet.ip.ttl: 64
> net.inet.ip.rtexpire: 3600
> net.inet.ip.rtminexpire: 10
> net.inet.ip.rtmaxcache: 128
> net.inet.ip.sourceroute: 0
> net.inet.ip.intr_queue_maxlen: 50
> net.inet.ip.intr_queue_drops: 0
> net.inet.ip.accept_sourceroute: 0
> net.inet.ip.keepfaith: 0
> net.inet.ip.gifttl: 30
> net.inet.ip.same_prefix_carp_only: 0
> net.inet.ip.subnets_are_local: 0
> net.inet.ip.fastforwarding: 0
> net.inet.ip.maxfragpackets: 800
> net.inet.ip.maxfragsperpacket: 16
> net.inet.ip.fragpackets: 0
> net.inet.ip.check_interface: 0
> net.inet.ip.random_id: 0
> net.inet.ip.sendsourcequench: 0
> net.inet.ip.process_options: 1
> net.inet.ip.fw.dyn_keepalive: 1
> net.inet.ip.fw.dyn_short_lifetime: 5
> net.inet.ip.fw.dyn_udp_lifetime: 10
> net.inet.ip.fw.dyn_rst_lifetime: 1
> net.inet.ip.fw.dyn_fin_lifetime: 1
> net.inet.ip.fw.dyn_syn_lifetime: 20
> net.inet.ip.fw.dyn_ack_lifetime: 300
> net.inet.ip.fw.static_count: 15
> net.inet.ip.fw.dyn_max: 4096
> net.inet.ip.fw.dyn_count: 0
> net.inet.ip.fw.curr_dyn_buckets: 256
> net.inet.ip.fw.dyn_buckets: 256
> net.inet.ip.fw.tables_max: 128
> net.inet.ip.fw.default_rule: 65535
> net.inet.ip.fw.verbose_limit: 0
> net.inet.ip.fw.verbose: 1
> net.inet.ip.fw.one_pass: 1
> net.inet.ip.fw.autoinc_step: 100
> net.inet.ip.fw.enable: 1
>
> *Regras de IPFW*
>
> enable verbose
> enable one_pass
> # add pass ip from any to any
> #add divert natd ip from any to any via xl0
> add divert natd ip from 192.168.200.0/22 to any out via xl0
> add divert natd ip from any to me in via xl0
> add pass udp from any to any
> add pass ip from 192.168.0.0/16 to 192.168.0.0/16
> add pass icmp from any to any
> #add pass tcp from any to any
> 20,21,22,23,53,80,3306,2222,8806,5432,1024-65000 setup
> add pass tcp from any to any
> 13,20,21,22,23,53,80,3306,2222,8806,5432,8886,1024-65000 via xl0
> add pass tcp from any
> 13,20,21,22,23,53,80,3306,2222,8806,5432,8886,1024-65000 to any via sk0
> add pass tcp from any to any
> 13,20,21,22,23,53,80,3306,2222,8806,5432,8886,1024-65000 via sk0
> add deny tcp from any to any 587,2401,2049,512,513,514,445,79,111 via sk0
> add pass tcp from any to any out via xl0
> add pass tcp from any to any via xl0 established
> #add deny ip from any to any via xl0
> add fwd 192.168.200.40,3306 tcp from any to any 3306 via xl0
>
> Mensagem de erro
>
> [root em venus /etc/rc.d]# /etc/rc.d/ipfw restart
> net.inet.ip.fw.enable: 1 -> 0
> Stopping natd.
> Waiting for PIDS: 75962, 75962, 75962, 75962, 75962.
> Starting natd.
> Loading /lib/libalias_cuseeme.so
> Loading /lib/libalias_ftp.so
> Loading /lib/libalias_irc.so
> Loading /lib/libalias_nbt.so
> Loading /lib/libalias_pptp.so
> Loading /lib/libalias_skinny.so
> Loading /lib/libalias_smedia.so
> Flushed all rules.
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 00400 divert 8668 ip from 192.168.200.0/22 to any out via xl0
> 00500 divert 8668 ip from any to me in via xl0
> 00600 allow udp from any to any
> 00700 allow ip from 192.168.0.0/16 to 192.168.0.0/16
> 00800 allow icmp from any to any
> 00900 allow tcp from any to any dst-port
> 13,20,21,22,23,53,80,3306,2222,8806,5432,8886,1024-65000 via xl0
> 01000 allow tcp from any
> 13,20,21,22,23,53,80,3306,2222,8806,5432,8886,1024-65000 to any via sk0
> 01100 allow tcp from any to any dst-port
> 13,20,21,22,23,53,80,3306,2222,8806,5432,8886,1024-65000 via sk0
> 01200 deny tcp from any to any dst-port
> 587,2401,2049,512,513,514,445,79,111 via sk0
> 01300 allow tcp from any to any out via xl0
> 01400 allow tcp from any to any via xl0 established
> *Line 18: getsockopt(IP_FW_ADD): Invalid argument*
> Firewall rules loaded.
> net.inet.ip.fw.enable: 0 -> 1
>
> Alguem tem alguma ideia ou ja passou por este problema ??
> Desde já agradeço
>
>

Você pode recompilar o kernel como explica esta manpage.

http://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=4&apropos=0&manpath=FreeBSD+7.2-RELEASE

Pode carregar como módulo no boot como explica a mesma manpage.

E pode simplesmente carregar o módulo.
http://www.freebsd.org/cgi/man.cgi?query=kldload&apropos=0&sektion=0&manpath=FreeBSD+7.2-RELEASE&format=html