From owner-freebsd-questions Tue Oct 2 22:19:23 2001 Delivered-To: freebsd-questions@freebsd.org Received: from pioneernet.net (mail.pioneernet.net [207.115.64.224]) by hub.freebsd.org (Postfix) with ESMTP id 7D3C537B403 for ; Tue, 2 Oct 2001 22:19:13 -0700 (PDT) Received: from chip.wiegand.org [66.114.152.128] by pioneernet.net (SMTPD32-6.06) id AFD82E10156; Tue, 02 Oct 2001 22:19:20 -0700 Content-Type: text/plain; charset="iso-8859-1" From: Chip To: freebsd-questions@FreeBSD.ORG Subject: natd permission denied at bootup Date: Tue, 2 Oct 2001 22:22:48 -0700 X-Mailer: KMail [version 1.2] MIME-Version: 1.0 Message-Id: <0110022222480G.96094@chip.wiegand.org> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have checked the archives and cannot find the answer for this particular problem. I am setting up another machine to replace my currant firewall/natd box. I have installed 4.4-release, recompiled the kernel for firewall & ipdivert, set up the rc.firewall, natd.conf, rc.conf, resolv.conf files. Both nics ping each other and other machines on the inside network, and answer to pings from other machines inside the network. When the machine boots up I get the following messages: natd: failed to write packet back (permission denied) routed: send bcast sendto(xl0): permission denied starting final network daemons: firewall, routed: sendto(dc0): permission denied. Any ideas what's going one here? I have verified all the files with the existing firewall box and it's been working fine for a couple years. I have also replaced rc.firewall with a differant one that has only - /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via dc0 /sbin/ipfw add pass all from any to any And I get the same error messages. It appears to be a route problem, but netstat does show a default route (see below). I am at a total loss for a solution here. I have included the relevant files text below. Here's a bit of my dmesg, unfortunately, it didn't go long enough to show the errors (the ones mentioned above): ------------------------------------- Copyright (c) 1992-2001 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994          The Regents of the University of California.         All rights reserved. FreeBSD 4.4-RELEASE #0: Thu Sep 27 19:58:43 GMT 2001     root@firewall.wiegand.org:/usr/src/sys/compile/WIEGAND xl0: <3Com 3c905B-TX Fast Etherlink XL> port 0xf400-0xf47f mem 0xffadff80-0xffadffff irq 11 at device 9.0 on pci0 xl0: Ethernet address: 00:50:da:06:ef:1f miibus0: on xl0 ukphy0: on miibus0 ukphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc0: port 0xf600-0xf6ff mem 0xffadfe00-0xffadfeff irq 10 at device 11.0 on pci0 dc0: Ethernet address: 00:a0:cc:e4:87:a5 miibus1: on dc0 dcphy0: on miibus1 dcphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto IP packet filtering initialized, divert enabled, rule-based forwarding disabled, default to deny, logging limited to 100 packets/entry by default ad0: 3089MB [6278/16/63] at ata0-master UDMA33 (null): MODE_SENSE_BIG - UNIT ATTENTION asc=29 ascq=00 error=04 acd0: CDROM at ata0-slave using PIO0 Mounting root from ufs:/dev/ad0s1a -- ------------------------------------------- Here's ifconfig -a --------------------------------------------- xl0: flags=8843 mtu 1500          inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255          inet6 fe80::250:daff:fe06:ef1f%xl0 prefixlen 64 scopeid 0x1          ether 00:50:da:06:ef:1f          media: Ethernet autoselect (10baseT/UTP)          status: active dc0: flags=8843 mtu 1500          inet 66.114.152.128 netmask 0xfffff800 broadcast 66.114.159.255          inet6 fe80::2a0:ccff:fee4:87a5%dc0 prefixlen 64 scopeid 0x2          ether 00:a0:cc:e4:87:a5          media: Ethernet autoselect (10baseT/UTP)          status: active lp0: flags=8810 mtu 1500 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8000 mtu 1500 lo0: flags=8049 mtu 16384          inet6 ::1 prefixlen 128          inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7          inet 127.0.0.1 netmask 0xff000000 ---------------------------------------------- Here's natd.conf ---------------------------------------------- use_sockets yes port 8668 log unregistered_only redirect_port tcp 192.168.1.14:80 80 ---------------------------------------------- Here's netstat -rn ---------------------------------------------- Routing tables Internet: Destination        Gateway            Flags    Refs      Use  Netif Expire default            66.114.152.1       UGSc        5       53    dc0 66.114.152/21      link#2             UC          2        0    dc0 66.114.152.1       link#2             UHLW        3        0    dc0 66.114.159.255     ff:ff:ff:ff:ff:ff  UHLWb       0        1    dc0 127.0.0.1          127.0.0.1          UH          0        0    lo0 192.168.1          link#1             UC          0        0    xl0 ---------------------------------------------- Here's rc.conf ---------------------------------------------- # -- sysinstall generated deltas -- # Tue Sep 25 22:38:43 2001 # Created: Tue Sep 25 22:38:43 2001 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. network_interfaces="xl0 dc0 lo0" firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="open" gateway_enable="YES" natd_interface="dc0" natd_enable="YES" natd_flags="-f /etc/natd.conf" router_enable="YES" defaultrouter="66.114.152.1" hostname="firewall.wiegand.org" ifconfig_xl0="inet 192.168.1.10  netmask 255.255.255.0" ifconfig_dc0="inet 66.114.152.128 netmask 255.255.248.0" moused_enable="YES" moused_port="/dev/cuaa1" moused_type="mouseman" sendmail_enable="NO" sshd_enable="YES" ------------------------------------------------ Here's rc.firewall ------------------------------------------------ # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then          . /etc/defaults/rc.conf          source_rc_confs elif [ -r /etc/rc.conf ]; then          . /etc/rc.conf fi if [ -n "${1}" ]; then          firewall_type="${1}" fi fwcmd="/sbin/ipfw" # Outside nic oif="dc0" onet="66.114.152.0" omask="255.255.255.128" oip="66.114.152.128" # Inside nic iif="xl0" inet="192.168.1.0" imask="255.255.255.0" iip="192.168.1.10" # ISP's DNS numbers dns1="207.115.64.222" dns2="207.115.64.223" ${fwcmd} -f flush # allow loopbacks, deny imposters $[fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Natd ${fwcmd} add divert natd all from any to any via ${natd_interface} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${oip} 25 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any to ${dns1} 53 keep-state ${fwcmd} add pass udp from any to ${dns2} 53 keep-state ${fwcmd} add pass udp from ${dns1} 53 to any ${fwcmd} add pass udp from ${dns2} 53 to any # Allow local SMB traffic ${fwcmd} add pass udp from any to any 137-139 via ${iif} # Allow inside machines to log to us ${fwcmd} add pass log udp from any to any 514 via ${iif} # Allow outbound traceroute ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} # Allow all icmp on internal ${fwcmd} add pass icmp from any to any via ${iif} # Allow outbound pings ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} # Allow other icmp types ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} # Deny all other icmp types ${fwcmd} add deny icmp from any to any # Reject broadcasts from the oif ${fwcmd} add 63000 deny ip from any 0.0.0.255:0.0.0.255 in via ${oif} # Reject and log smb connections from oif ${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif} # Reject and log all other connections from oif ${fwcmd} add 65000 deny log ip from any to any via ${oif} # Everything else is denied by default in the kernel WIEGAND -------------------------------------------------- Thanks for your assistance, -- Chip W. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message