Re: ipfw/natd problem?

From: Crist J . Clark (cjc@FreeBSD.ORG)
Date: 12/06/01


Date: Thu, 6 Dec 2001 00:46:42 -0800
From: "Crist J . Clark" <cjc@FreeBSD.ORG>
To: Mike D <d01f1n@yahoo.com>

On Thu, Dec 06, 2001 at 07:34:57AM +0000, Mike D wrote:
> Anyway I can suppress these / log them instead? Should I be getting them at
> all - have I forgotten to configure something for natd?

It means that packets are getting blocked after they go through
natd(8). You can log them by adding 'log' to rule 50000. But that
won't stop the messages you are seeing. You can stop the messages by
blocking the offending packets before the divert(4) rule. If you don't
want to do that, look for 'log_denied' in natd(8).

> On Thursday 06 December 2001 7:32 am, Crist J . Clark wrote:
> > On Thu, Dec 06, 2001 at 07:19:14AM +0000, Mike D wrote:
> > > I'm getting this error all the time since I've set up my FreeBSD 4.4 with
> > > ipfw and natd as part of the kernel.
> > >
> > > Dec 6 00:03:09 host4 natd[195]: failed to write packet back (Permission
> > > denied)
> > > Dec 6 00:13:53 host4 last message repeated 26 times
> > >
> > > This is the rules list I have for ipfw:
> > >
> > > 00050 24 1194 allow ip from any to any via lo0
> > > 00051 0 0 deny ip from any to 127.0.0.0/8
> > > 00052 0 0 deny ip from 127.0.0.0/8 to any
> > > 00060 1098 282242 divert 8668 ip from any to any via xl1
> > > 00100 0 0 allow ip from any to any via lo0
> > > 00100 4840 3315967 allow ip from any to any via xl0
> > > 00200 0 0 deny ip from any to 127.0.0.0/8
> > > 00200 1 540 allow udp from 194.168.8.100 53 to any in recv xl1
> > > 00201 37 10088 allow udp from 194.168.4.100 53 to any in recv xl1
> > > 00202 1 59 allow udp from any to 194.168.8.100 53 out xmit xl1
> > > 00203 37 2429 allow udp from any to 194.168.4.100 53 out xmit xl1
> > > 00300 0 0 deny ip from 127.0.0.0/8 to any
> > > 00400 39 2232 allow tcp from any to any out xmit xl1 setup
> > > 00401 933 257294 allow tcp from any to any via xl1 established
> > > 00450 0 0 allow tcp from any to any 22 setup
> > > 50000 50 9600 unreach host ip from any to any
> >
> > There they are. Any of those that went through natd(8) and hit this
> > rule will cause that.
> >
> > > 65535 1 328 deny ip from any to any
> > >
> > > Any suggestions as to what it could be? I'm really supmped - any help
> > > would be appreciated.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
"It's always funny until someone gets hurt. Then it's hilarious."
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: ipfw/natd problem?
    ... Anyway I can suppress these / log them instead? ... >> ipfw and natd as part of the kernel. ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: Is the technique described in this article do-able with
    ... >Even if it were in a comatose state, you might have some problems with ... >using natd since your userland is gone. ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: firewall
    ... On Thu, 11 Oct 2001, alexus wrote: ... > man ipfw and man natd ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • RE: another natd question
    ... instances of natd running. ... Subject: another natd question ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)