Date: Tue, 2 Oct 2001 22:22:48 -0700 From: Chip <chip@wiegand.org> To: freebsd-questions@FreeBSD.ORG Subject: natd permission denied at bootup Message-ID: <0110022222480G.96094@chip.wiegand.org>
next in thread | raw e-mail | index | archive | help
I have checked the archives and cannot find the answer for this particular problem. I am setting up another machine to replace my currant firewall/natd box. I have installed 4.4-release, recompiled the kernel for firewall & ipdivert, set up the rc.firewall, natd.conf, rc.conf, resolv.conf files. Both nics ping each other and other machines on the inside network, and answer to pings from other machines inside the network. When the machine boots up I get the following messages: natd: failed to write packet back (permission denied) routed: send bcast sendto(xl0): permission denied starting final network daemons: firewall, routed: sendto(dc0): permission denied. Any ideas what's going one here? I have verified all the files with the existing firewall box and it's been working fine for a couple years. I have also replaced rc.firewall with a differant one that has only - /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via dc0 /sbin/ipfw add pass all from any to any And I get the same error messages. It appears to be a route problem, but netstat does show a default route (see below). I am at a total loss for a solution here. I have included the relevant files text below. Here's a bit of my dmesg, unfortunately, it didn't go long enough to show the errors (the ones mentioned above): ------------------------------------- Copyright (c) 1992-2001 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.4-RELEASE #0: Thu Sep 27 19:58:43 GMT 2001 root@firewall.wiegand.org:/usr/src/sys/compile/WIEGAND <snipped> xl0: <3Com 3c905B-TX Fast Etherlink XL> port 0xf400-0xf47f mem 0xffadff80-0xffadffff irq 11 at device 9.0 on pci0 xl0: Ethernet address: 00:50:da:06:ef:1f miibus0: <MII bus> on xl0 ukphy0: <Generic IEEE 802.3u media interface> on miibus0 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc0: <LC82C115 PNIC II 10/100BaseTX> port 0xf600-0xf6ff mem 0xffadfe00-0xffadfeff irq 10 at device 11.0 on pci0 dc0: Ethernet address: 00:a0:cc:e4:87:a5 miibus1: <MII bus> on dc0 dcphy0: <Intel 21143 NWAY media interface> on miibus1 dcphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto <snipped> IP packet filtering initialized, divert enabled, rule-based forwarding disabled, default to deny, logging limited to 100 packets/entry by default ad0: 3089MB <Maxtor 83249D3> [6278/16/63] at ata0-master UDMA33 (null): MODE_SENSE_BIG - UNIT ATTENTION asc=29 ascq=00 error=04 acd0: CDROM <CD-ROM CDU55E> at ata0-slave using PIO0 Mounting root from ufs:/dev/ad0s1a -- ------------------------------------------- Here's ifconfig -a --------------------------------------------- xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::250:daff:fe06:ef1f%xl0 prefixlen 64 scopeid 0x1 ether 00:50:da:06:ef:1f media: Ethernet autoselect (10baseT/UTP) status: active dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 66.114.152.128 netmask 0xfffff800 broadcast 66.114.159.255 inet6 fe80::2a0:ccff:fee4:87a5%dc0 prefixlen 64 scopeid 0x2 ether 00:a0:cc:e4:87:a5 media: Ethernet autoselect (10baseT/UTP) status: active lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 faith0: flags=8000<MULTICAST> mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff000000 ---------------------------------------------- Here's natd.conf ---------------------------------------------- use_sockets yes port 8668 log unregistered_only redirect_port tcp 192.168.1.14:80 80 ---------------------------------------------- Here's netstat -rn ---------------------------------------------- Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 66.114.152.1 UGSc 5 53 dc0 66.114.152/21 link#2 UC 2 0 dc0 66.114.152.1 link#2 UHLW 3 0 dc0 66.114.159.255 ff:ff:ff:ff:ff:ff UHLWb 0 1 dc0 127.0.0.1 127.0.0.1 UH 0 0 lo0 192.168.1 link#1 UC 0 0 xl0 <inet6 stuff snipped> ---------------------------------------------- Here's rc.conf ---------------------------------------------- # -- sysinstall generated deltas -- # Tue Sep 25 22:38:43 2001 # Created: Tue Sep 25 22:38:43 2001 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. network_interfaces="xl0 dc0 lo0" firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="open" gateway_enable="YES" natd_interface="dc0" natd_enable="YES" natd_flags="-f /etc/natd.conf" router_enable="YES" defaultrouter="66.114.152.1" hostname="firewall.wiegand.org" ifconfig_xl0="inet 192.168.1.10 netmask 255.255.255.0" ifconfig_dc0="inet 66.114.152.128 netmask 255.255.248.0" moused_enable="YES" moused_port="/dev/cuaa1" moused_type="mouseman" sendmail_enable="NO" sshd_enable="YES" ------------------------------------------------ Here's rc.firewall ------------------------------------------------ # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi if [ -n "${1}" ]; then firewall_type="${1}" fi fwcmd="/sbin/ipfw" # Outside nic oif="dc0" onet="66.114.152.0" omask="255.255.255.128" oip="66.114.152.128" # Inside nic iif="xl0" inet="192.168.1.0" imask="255.255.255.0" iip="192.168.1.10" # ISP's DNS numbers dns1="207.115.64.222" dns2="207.115.64.223" ${fwcmd} -f flush # allow loopbacks, deny imposters $[fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Natd ${fwcmd} add divert natd all from any to any via ${natd_interface} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${oip} 25 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any to ${dns1} 53 keep-state ${fwcmd} add pass udp from any to ${dns2} 53 keep-state ${fwcmd} add pass udp from ${dns1} 53 to any ${fwcmd} add pass udp from ${dns2} 53 to any # Allow local SMB traffic ${fwcmd} add pass udp from any to any 137-139 via ${iif} # Allow inside machines to log to us ${fwcmd} add pass log udp from any to any 514 via ${iif} # Allow outbound traceroute ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} # Allow all icmp on internal ${fwcmd} add pass icmp from any to any via ${iif} # Allow outbound pings ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} # Allow other icmp types ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} # Deny all other icmp types ${fwcmd} add deny icmp from any to any # Reject broadcasts from the oif ${fwcmd} add 63000 deny ip from any 0.0.0.255:0.0.0.255 in via ${oif} # Reject and log smb connections from oif ${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif} # Reject and log all other connections from oif ${fwcmd} add 65000 deny log ip from any to any via ${oif} # Everything else is denied by default in the kernel WIEGAND -------------------------------------------------- Thanks for your assistance, -- Chip W. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0110022222480G.96094>