[Oisf-users] [Oisf-devel] Suricata - Write to ipfw divert socket failed
Özkan KIRIK
ozkan.kirik at gmail.com
Thu Mar 6 07:17:47 UTC 2014
ipfw -ad list
00004 0 0 deny ip from any to any MAC
e8:03:9a:0f:74:7b any
00005 63668675 49628511386 allow ip from any to any layer2
00100 25849 4724396 divert 8000 all from any to 10.2.2.10 not
layer2
00200 26579 5122809 divert 8000 all from 10.2.2.10 to any not
layer2
00300 365312 25436015 skipto 600 udp from any to any dst-port
53,1812
00400 334817 71431398 skipto 600 udp from any 53,1812 to any
00500 77815 5612395 deny udp from any to any
00600 4928083 1457516245 nat tablearg ip from table(10) to any via
igb1 // VLAN NAT
00600 13655296 16815414254 nat tablearg ip from any to table(11) via
igb1 // VLAN NAT
##Dynamic rules:
On Thu, Mar 6, 2014 at 1:02 AM, Eric Leblond <eric at regit.org> wrote:
> Hi,
>
> On Thu, 2014-03-06 at 00:55 +0200, Özkan KIRIK wrote:
> > I tried to compile both clang and gcc. Result was same.
> >
> > This error appears sometimes. Not for all packets.
> >
> > There is only one rule : pass ip any any -> any any
>
> There is an old memory coming back to me. Not sure but I think this is
> linked with non routable packet reaching the filter (packet going to the
> box for example). And there is a failure at reinject because the packet
> can't be send.
>
> BR,
>
> >
> >
> > 6 Mar 2014 00:49 tarihinde "Özkan KIRIK" <ozkan.kirik at gmail.com>
> > yazdı:
> > Hi,
> >
> > I was running suricata with these arguments;
> >
> > suricata -vv -d 8000
> >
> > ipfw add divert 8000 all from any to 10.2.2.10
> > ipfw add divert 8000 all from 10.2.2.10 to any
> >
> > 6 Mar 2014 00:45 tarihinde "Shirkdog" <shirkdog at gmail.com>
> > yazdı:
> > Do you have ipfw setup with the divert socket set to a
> > port?
> >
> > On Mar 5, 2014 5:17 PM, "Özkan KIRIK"
> > <ozkan.kirik at gmail.com> wrote:
> > Hi,
> >
> >
> > I'm using FreeBSD 10 ipfw and ipdivert
> > enabled.
> > I tried suricata v.1.4.6, v1.4.7 and also
> > 2.0rc1.
> >
> >
> > All versions throws this error sometimes
> > "<Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)]
> > - Write to ipfw divert socket failed:
> > Permission denied"
> > After a while, thread restart threshold
> > exceeded and suricata completely shutdown.
> >
> >
> > I was diverted only 1 host to suricata. But
> > still gives this error.
> >
> >
> > It's strange, I inspected the source-ipfw.c
> > file. The problem about injecting packet back
> > to divert socket.
> >
> >
> > errno = 13 - EACCESS.
> >
> >
> > I saw that SO_BROADCAST option was set to
> > socket.
> >
> >
> > How can i debug this situation, or any
> > solutions?
> >
> >
> > Best regards
> >
> > _______________________________________________
> > Suricata IDS Users mailing list:
> > oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> > http://suricata-ids.org/support/
> > List:
> >
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> > _______________________________________________
> > Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> > Redmine: https://redmine.openinfosecfoundation.org/
>
> --
> Eric Leblond <eric at regit.org>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140306/f542a015/attachment-0002.html>
More information about the Oisf-users
mailing list