# From ipfw to pf



## jos3ph (May 29, 2013)

Hi, I'm currently using ipfw on Freebsd9.1 FreeBSD 9.1 but I'm getting some problems to make it work.

This is my relevant part of rc.conf:

```
firewall_enable="YES"
firewall_script="/etc/firewall.rules"
```

And this is /etc/firewall.rules:

```
ipfw -f flush
ipfw add 60000 fwd localhost,3128 ip from any to any via gre0 in
ipfw add 60500 allow ip from any to any
```

But IPFIREWALL returns an error on the second line 
	
	



```
ipfw add 60000 fwd localhost,3128 ip from any to any via gre0 in
```


```
ipfw: getsockopt(IP_FW_ADD): Invalid argument
ipfw: opcode 86, unknown opcode
```

In my kernel I have configured this options:

```
options         IPFIREWALL      # firewall
options         IPFIREWALL_FORWARD      # Enable transparent proxy support
```

Can someone help me with this error? Alternatively, how can I translate those rules with pf?

Many thanks in advance!


----------



## kpa (May 29, 2013)

Something like this:


```
rdr pass on gre0 inet from any to any  -> localhost port 3128
```


----------



## phoenix (May 29, 2013)

You have an extra *in* at the end of the second line.  Remove it.


----------



## jos3ph (May 30, 2013)

phoenix said:
			
		

> You have an extra *in* at the end of the second line.  Remove it.



That was not the problem, I changed that line to

```
ipfw add 60000 fwd 192.168.1.1,3128 ip from any to any via gre0 in
```

And now it works!!!! But I cannot understand why!!!!

This is my /etc/hosts:


```
# $FreeBSD: release/9.1.0/etc/hosts 109997 2003-01-28 21:29:23Z dbaker $
#
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file.  Replace 'my.domain' below with the domainname of your
# machine.
#
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain
192.168.1.1             SRV-PROXY SRV-PROXY.testdomain.local
#
# Imaginary network.
#10.0.0.2               myname.my.domain myname
#10.0.0.3               myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
#       10.0.0.0        -   10.255.255.255
#       172.16.0.0      -   172.31.255.255
#       192.168.0.0     -   192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers.  Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
#
```

Any *i*dea?


```
manager@SRV-PROXY 7:27 [/home/manager]%ping localhost
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.030 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.045 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.046 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.044 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.029 ms
64 bytes from 127.0.0.1: icmp_seq=5 ttl=64 time=0.038 ms
64 bytes from 127.0.0.1: icmp_seq=6 ttl=64 time=0.049 ms
64 bytes from 127.0.0.1: icmp_seq=7 ttl=64 time=0.042 ms
^C
--- localhost ping statistics ---
8 packets transmitted, 8 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.029/0.040/0.049/0.007 ms
manager@SRV-PROXY 7:29 [/home/manager]%
```


----------



## chrisp (Jun 4, 2013)

jos3ph said:
			
		

> ```
> ipfw: getsockopt(IP_FW_ADD): Invalid argument
> ipfw: opcode 86, unknown opcode
> ```



I came across this error today. It occurs when a hostname resolves to an IPV6 address but there is no IPV6 support in the kernel. Commenting out the '::1' for localhost in your /etc/hosts file should resolve the issue.


----------



## jos3ph (Jun 5, 2013)

chrisp said:
			
		

> I came across this error today. It occurs when a hostname resolves to an IPV6 address but there is no IPV6 support in the kernel. Commenting out the '::1' for localhost in your /etc/hosts file should resolve the issue.



Thank you very much @chrisp!


----------

