Date: Wed, 12 Dec 2001 15:04:43 +0200 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: Mike D <d01f1n@yahoo.com> Cc: questions@FreeBSD.ORG Subject: Re: ipfw/natd problem Message-ID: <20011212150443.A53839@sunbay.com> In-Reply-To: <20011212091105.SVEV2135.mta02-svc.ntlworld.com@there> References: <20011212091105.SVEV2135.mta02-svc.ntlworld.com@there>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 12, 2001 at 09:10:48AM +0000, Mike D wrote: > I'm repeatedly getting these messages when the system is up and running. > > Dec 12 08:54:54 host4 natd[268]: failed to write packet back (Permission > denied) > Dec 12 08:55:01 host4 last message repeated 3 times > > My freebsd box is acting as an internet gw/fw and has 2 if's: xl0 and xl1. > > here is the filter list: > > 00001 divert 8668 ip from any to any via xl1 > 00050 allow ip from any to any via lo0 > 00051 deny ip from any to 127.0.0.0/8 > 00052 deny ip from 127.0.0.0/8 to any > 00100 allow ip from any to any via lo0 > 00100 allow ip from any to any via lo0 > 00100 allow ip from any to any via xl0 > 00200 deny ip from any to 127.0.0.0/8 > 00200 allow udp from 194.168.8.100 53 to any in recv xl1 > 00201 allow udp from 194.168.4.100 53 to any in recv xl1 > 00202 allow udp from any to 194.168.8.100 53 out xmit xl1 > 00203 allow udp from any to 194.168.4.100 53 out xmit xl1 > 00300 deny ip from 127.0.0.0/8 to any > 00400 allow tcp from any to any out xmit xl1 setup > 00401 allow tcp from any to any via xl1 established > 00450 allow tcp from any to any 22 setup > 00500 allow icmp from any to me via xl1 icmptype 0,3,11 > 00501 deny icmp from any to me via xl1 icmptype 0,8 > 00502 allow icmp from any to any via xl0 > 50000 unreach host ip from any to any > 65535 deny ip from any to any > > if anybody can suggest why I'm getting this and how to fix it, I would really > appreciate it. > > Thanks in advance! > After natd(8) translates a packet, it's (the new packet) passed back to IPFW processing, starting with the next rule number, 50 in your case. Depending on the nature of a packet, your firewall may deny the packet, and return EACCES. The receival of this message indicates that your firewall blocked a packet. It may be intentionally (for example, with your ruleset, you don't allow incoming TCP traffic for non-established connections), or unintentional, in which case please try running the natd in verbose mode, and see which packets cause this message, to have an idea of what specifically is blocked. If this blocking looks normal to you, FreeBSD 4.4-STABLE has the -log_ipfw_denied option in natd(8), which, by default (if not used), disables printing of these messages. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011212150443.A53839>