<div dir="ltr"><div><span style="font-family:arial,sans-serif;font-size:13px"><div>ipfw -ad list</div><div><br></div><div>00004 0 0 deny ip from any to any MAC e8:03:9a:0f:74:7b any</div><div>00005 63668675 49628511386 allow ip from any to any layer2</div>
</span></div><span style="font-family:arial,sans-serif;font-size:13px">00100</span><span style="font-family:arial,sans-serif"> </span><span style="font-family:arial,sans-serif;font-size:13px"> 25849</span><span style="font-family:arial,sans-serif"> </span><span style="font-family:arial,sans-serif;font-size:13px">4724396 divert 8000 all from any to 10.2.2.10 not layer2</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">00200</span><span style="font-family:arial,sans-serif"> </span><span style="font-family:arial,sans-serif;font-size:13px"> 26579</span><span style="font-family:arial,sans-serif"> </span><span style="font-family:arial,sans-serif;font-size:13px">5122809 divert 8000 all from 10.2.2.10 to any not layer2</span><div>
<font face="arial, sans-serif"><div>00300 365312 25436015 skipto 600 udp from any to any dst-port 53,1812</div><div>00400 334817 71431398 skipto 600 udp from any 53,1812 to any</div><div>00500 77815 5612395 deny udp from any to any</div>
<div><div>00600 4928083 1457516245 nat tablearg ip from table(10) to any via igb1 // VLAN NAT</div><div>00600 13655296 16815414254 nat tablearg ip from any to table(11) via igb1 // VLAN NAT</div></div></font><div>
<span style="font-family:arial,sans-serif;font-size:13px">##Dynamic rules:</span></div></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Thu, Mar 6, 2014 at 1:02 AM, Eric Leblond <span dir="ltr"><<a href="mailto:eric@regit.org" target="_blank">eric@regit.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<div class=""><br>
On Thu, 2014-03-06 at 00:55 +0200, Özkan KIRIK wrote:<br>
> I tried to compile both clang and gcc. Result was same.<br>
><br>
> This error appears sometimes. Not for all packets.<br>
><br>
> There is only one rule : pass ip any any -> any any<br>
<br>
</div>There is an old memory coming back to me. Not sure but I think this is<br>
linked with non routable packet reaching the filter (packet going to the<br>
box for example). And there is a failure at reinject because the packet<br>
can't be send.<br>
<br>
BR,<br>
<div><div class="h5"><br>
><br>
><br>
> 6 Mar 2014 00:49 tarihinde "Özkan KIRIK" <<a href="mailto:ozkan.kirik@gmail.com">ozkan.kirik@gmail.com</a>><br>
> yazdı:<br>
> Hi,<br>
><br>
> I was running suricata with these arguments;<br>
><br>
> suricata -vv -d 8000<br>
><br>
> ipfw add divert 8000 all from any to 10.2.2.10<br>
> ipfw add divert 8000 all from 10.2.2.10 to any<br>
><br>
> 6 Mar 2014 00:45 tarihinde "Shirkdog" <<a href="mailto:shirkdog@gmail.com">shirkdog@gmail.com</a>><br>
> yazdı:<br>
> Do you have ipfw setup with the divert socket set to a<br>
> port?<br>
><br>
> On Mar 5, 2014 5:17 PM, "Özkan KIRIK"<br>
> <<a href="mailto:ozkan.kirik@gmail.com">ozkan.kirik@gmail.com</a>> wrote:<br>
> Hi,<br>
><br>
><br>
> I'm using FreeBSD 10 ipfw and ipdivert<br>
> enabled.<br>
> I tried suricata v.1.4.6, v1.4.7 and also<br>
> 2.0rc1.<br>
><br>
><br>
> All versions throws this error sometimes<br>
> "<Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)]<br>
> - Write to ipfw divert socket failed:<br>
> Permission denied"<br>
> After a while, thread restart threshold<br>
> exceeded and suricata completely shutdown.<br>
><br>
><br>
> I was diverted only 1 host to suricata. But<br>
> still gives this error.<br>
><br>
><br>
> It's strange, I inspected the source-ipfw.c<br>
> file. The problem about injecting packet back<br>
> to divert socket.<br>
><br>
><br>
> errno = 13 - EACCESS.<br>
><br>
><br>
> I saw that SO_BROADCAST option was set to<br>
> socket.<br>
><br>
><br>
> How can i debug this situation, or any<br>
> solutions?<br>
><br>
><br>
> Best regards<br>
><br>
> _______________________________________________<br>
> Suricata IDS Users mailing list:<br>
> <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:<br>
> <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List:<br>
> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</div></div>> _______________________________________________<br>
> Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
> Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Eric Leblond <<a href="mailto:eric@regit.org">eric@regit.org</a>><br>
<br>
</font></span></blockquote></div><br></div>