Date: Wed, 9 Aug 2000 12:23:46 -0500 From: Chris Silva <chris.silva@ADMis.com> To: "'FreeBSD-Questions@FreeBSD.ORG'" <FreeBSD-Questions@FreeBSD.ORG> Subject: IRC identing from client through FBSD firewall. Message-ID: <7353575D98E0D311834F00508BA0FAC91CECD1@chicago.admis.com>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C00226.95847E78
Content-Type: text/plain;
charset="iso-8859-1"
When I access IRC via a windows box on my internal network, going trough a
cable modem, I get this error:
natd[162]: failed to write packet back (Permission denied)
This happens when identd is access. I can get out doing everything I need
to, but I just cant get identd to work.
I am using ident2 from the ports, and have set the auth line in the
inetd.conf file. Sorry for all the stuff here, but I wanted to give you all
everything I possibly could - and fee free to point out all that is wrong.
Below are the stats you mat need:
Firewall - FBSD 4.1-STABLE
---------------- rc.conf
# -- sysinstall generated deltas -- #
network_interfaces="fxp0 xl0 lo0"
ifconfig_fxp0="inet 10.3.1.1 netmask 255.0.0.0"
ifconfig_xl0="DHCP"
hostname="firewall.ce.mediaone.net"
gateway_enable="YES"
defaultrouter="NO"
usbd_enable="YES"
inetd_flags="wW -R 1024" # Optional flags to inetd
ntpdate_flags="ncar.ucar.edu"
ntpdate_enable="YES"
tcp_extensions="YES"
firewall_enable="YES" # Set to YES to enable firewall
functionality
firewall_type="simple" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" #
natd_enable="YES" # Enable natd (if firewall_enable == YES).
natd_interface="xl0" # Public interface or IPaddress to use.
natd_flags="-f /etc/natd.conf" # Additional flags for natd.
portmap_enable="NO" # Run the portmapper service (or NO).
------------------ rc.firewall (simple)
# set these to your outside interface network and netmask and ip
oif="xl0"
onet="204.210.189.0"
omask="255.255.255.0"
oip="204.210.189.38"
# set these to your inside interface network and netmask and ip
iif="fxp0"
inet="10.3.1.0"
imask="255.0.0.0"
iip="10.3.1.1"
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
#${fwcmd} add pass all from ${inet}:${imask} to ${inet}:${inet}
# Stop RFC1918 nets on the outside interface
#${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
#${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
#${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
#${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
#${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
#${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-01.txt nets on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
#${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from any 53 to ${oip}
${fwcmd} add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
${fwcmd} add pass udp from any 123 to ${oip}
Thanks,
Chris
------_=_NextPart_001_01C00226.95847E78
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>IRC identing from client through FBSD firewall.</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2 FACE=3D"Courier New">When I access IRC via a windows =
box on my internal network, going trough a</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">cable modem, I get this =
error:</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">natd[162]: failed to write =
packet back (Permission denied)</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">This happens when identd is =
access. I can get out doing everything I need</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">to, but I just cant get identd =
to work.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">I am using ident2 from the =
ports, and have set the auth line in the</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">inetd.conf file. Sorry =
for all the stuff here, but I wanted to give you all</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">everything I possibly could - =
and fee free to point out all that is wrong.</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">Below are the stats you mat =
need:</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">Firewall - FBSD =
4.1-STABLE</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">---------------- rc.conf</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New"># -- sysinstall generated =
deltas -- #</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">network_interfaces=3D"fxp0 =
xl0 lo0"</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">ifconfig_fxp0=3D"inet =
10.3.1.1 netmask 255.0.0.0"</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">ifconfig_xl0=3D"DHCP"</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">hostname=3D"firewall.ce.mediaone.net"</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">gateway_enable=3D"YES"</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">defaultrouter=3D"NO"</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">usbd_enable=3D"YES"</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">inetd_flags=3D"wW -R =
1024" # Optional flags =
to inetd</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">ntpdate_flags=3D"ncar.ucar.edu"</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">ntpdate_enable=3D"YES"</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">tcp_extensions=3D"YES"</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">firewall_enable=3D"YES" =
# Set to YES to enable =
firewall</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">functionality</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">firewall_type=3D"simple" =
# Firewall type (see =
/etc/rc.firewall)</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">firewall_quiet=3D"NO" =
#</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">natd_enable=3D"YES" &n=
bsp; # Enable natd (if =
firewall_enable =3D=3D YES).</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">natd_interface=3D"xl0"  =
; # Public interface or IPaddress to =
use.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">natd_flags=3D"-f =
/etc/natd.conf" # Additional flags for natd.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">portmap_enable=3D"NO" =
# Run the portmapper service =
(or NO).</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">------------------ rc.firewall =
(simple)</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New"># set these to your outside interface network and =
netmask and ip</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">oif=3D"xl0"</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">onet=3D"204.210.189.0"</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">omask=3D"255.255.255.0"</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">oip=3D"204.210.189.38"</FONT>
</P>
<P> <FONT SIZE=3D2 =
FACE=3D"Courier New"># set these to your inside interface network and =
netmask and ip</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">iif=3D"fxp0"</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">inet=3D"10.3.1.0"</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">imask=3D"255.0.0.0"</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">iip=3D"10.3.1.1"</FONT>
</P>
<P> <FONT SIZE=3D2 =
FACE=3D"Courier New"># Stop spoofing</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add deny all from ${inet}:${imask} to any =
in via ${oif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add deny all from ${onet}:${omask} to any =
in via ${iif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">#${fwcmd} add pass all from ${inet}:${imask} to =
${inet}:${inet}</FONT>
</P>
<P> <FONT SIZE=3D2 =
FACE=3D"Courier New"># Stop RFC1918 nets on the outside =
interface</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">#${fwcmd} add deny all from 10.0.0.0/8 to any via =
${oif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">#${fwcmd} add deny all from any to 10.0.0.0/8 via =
${oif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">#${fwcmd} add deny all from 172.16.0.0/12 to any =
via ${oif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">#${fwcmd} add deny all from any to 172.16.0.0/12 =
via ${oif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">#${fwcmd} add deny all from 192.168.0.0/16 to any =
via ${oif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">#${fwcmd} add deny all from any to 192.168.0.0/16 =
via ${oif}</FONT>
</P>
<P> <FONT SIZE=3D2 =
FACE=3D"Courier New"># Stop draft-manning-dsua-01.txt nets on the =
outside interface</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add deny all from 0.0.0.0/8 to any via =
${oif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add deny all from any to 0.0.0.0/8 via =
${oif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add deny all from 169.254.0.0/16 to any =
via ${oif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add deny all from any to 169.254.0.0/16 =
via ${oif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add deny all from 192.0.2.0/24 to any via =
${oif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add deny all from any to 192.0.2.0/24 via =
${oif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add deny all from 224.0.0.0/4 to any via =
${oif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add deny all from any to 224.0.0.0/4 via =
${oif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add deny all from 240.0.0.0/4 to any via =
${oif}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add deny all from any to 240.0.0.0/4 via =
${oif}</FONT>
</P>
<P> <FONT SIZE=3D2 =
FACE=3D"Courier New"># Allow TCP through if setup succeeded</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add pass tcp from any to any =
established</FONT>
</P>
<P> <FONT SIZE=3D2 =
FACE=3D"Courier New"># Allow IP fragments to pass through</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add pass all from any to any frag</FONT>
</P>
<P> <FONT SIZE=3D2 =
FACE=3D"Courier New"># Allow setup of incoming email</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add pass tcp from any to ${oip} 25 =
setup</FONT>
</P>
<P> <FONT SIZE=3D2 =
FACE=3D"Courier New"># Allow access to our DNS</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add pass tcp from any to ${oip} 53 =
setup</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add pass udp from any to ${oip} 53</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add pass udp from ${oip} 53 to any</FONT>
</P>
<P> <FONT SIZE=3D2 =
FACE=3D"Courier New"># Allow access to our WWW</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add pass tcp from any to ${oip} 80 =
setup</FONT>
</P>
<P> <FONT SIZE=3D2 =
FACE=3D"Courier New"># Reject&Log all setup of incoming connections =
from the outside</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">#${fwcmd} add deny log tcp from any to any in via =
${oif} setup</FONT>
</P>
<P> <FONT SIZE=3D2 =
FACE=3D"Courier New"># Allow setup of any other TCP connection</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add pass tcp from any to any setup</FONT>
</P>
<P> <FONT SIZE=3D2 =
FACE=3D"Courier New"># Allow DNS queries out in the world</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add pass udp from any 53 to ${oip}</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add pass udp from ${oip} to any 53</FONT>
</P>
<P> <FONT SIZE=3D2 =
FACE=3D"Courier New"># Allow NTP queries out in the world</FONT>
<BR> <FONT SIZE=3D2 =
FACE=3D"Courier New">${fwcmd} add pass udp from any 123 to =
${oip}</FONT>
</P>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Courier New">Thanks,</FONT>
<BR> =
<FONT SIZE=3D2 =
FACE=3D"Courier New"> Chris</FONT>
</P>
<BR>
</BODY>
</HTML>
------_=_NextPart_001_01C00226.95847E78--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7353575D98E0D311834F00508BA0FAC91CECD1>