Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » BSD » 'IpfwLoop: write to divert socket failed" on FreeBSD 6.1

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

'IpfwLoop: write to divert socket failed" on FreeBSD 6.1


Posted by gaspar on June 19, 2006 07:54:20

Hi.

Does anyone else have already setup snort_inline with ipfw on a FreeBSD box? I'm getting the following error:

IpfwLoop: write to divert socket failed

I have no idea of what's happening. My box is as following:

FreeBSD 6.1-STABLE FreeBSD 6.1-STABLE #0

Kernel build options:

device if_bridge
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPDIVERT

IPFW divert rule:

divert 8000 all from machine1 to machine2 via if1

where if1 is one of the members interfaces of bridge, machine1 is on the bridge and machine2 is an external machine. Observe that I am not filtering on layer2, because ipfw does not divert bridged packets.

net.link.bridge.pfil_onlyip: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 0
net.link.bridge.ipfw: 0
net.link.ether.ipfw: 0

Config file is default snort_inline.conf. I've also tried layer2resets with no success (using bridge interface mac).

command line options:
snort_inline -v -J 8000 -d -s -h xxx.xxx.xxx.xxx/xx -l /var/log/snort_inline -c /usr/local/etc/snort_inline.conf

Thanks in advance!
Carlos

Posted by MaleficCode on September 22, 2006 02:45:16

What version of snort are you running? Is it the snot_inline from FreeBSD ports?

Posted by gaspar on September 25, 2006 17:51:23

Yes, snort_inline 2.3.0RC1 from ports.

Posted by MaleficCode on November 11, 2006 01:00:31

I apologize for not replying sooner. I'm pretty sure that snort_inline from ports won't allow use of a bridge. The issue is that the bridge code in FreeBSD does not support the divert socket. I haven't checked on this recently but I'm pretty sure it still doesn't. However, if it has been patched by someone else and you trust that person then you might be in luck. You could always hack the bridge code yourself. ;) I had 2.3.0 from ports working on FreeBSD 6.x and now have 2.4.x from ports running fine. So at this point I would say that using natd would probably be your best bet. Here are some links to some useful information about it:

http://freebsd.rogness.net/snort_inline/

http://taosecurity.blogspot.com/2004/04/tips-on-network-hardware-from-snort.html

Goodluck, hope this helped.

Mc


Posted by NickRogness on January 16, 2007 18:00:10


This is a true statement. You can't using bridging with ipfw and snort_inline. There is no ETA on when this willbe available.

Posted by gaspar on January 18, 2007 02:23:35

Hi guys.
Thanks for your help.

Posted by YTChris on March 25, 2008 07:11:55

This is no longer true. With if_bridge, the replacement for bridge, ipfw and snort_inline do work
through divert now.

site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.