Date: Wed, 9 Aug 2000 12:23:46 -0500 From: Chris Silva <chris.silva@ADMis.com> To: "'FreeBSD-Questions@FreeBSD.ORG'" <FreeBSD-Questions@FreeBSD.ORG> Subject: IRC identing from client through FBSD firewall. Message-ID: <7353575D98E0D311834F00508BA0FAC91CECD1@chicago.admis.com>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C00226.95847E78 Content-Type: text/plain; charset="iso-8859-1" When I access IRC via a windows box on my internal network, going trough a cable modem, I get this error: natd[162]: failed to write packet back (Permission denied) This happens when identd is access. I can get out doing everything I need to, but I just cant get identd to work. I am using ident2 from the ports, and have set the auth line in the inetd.conf file. Sorry for all the stuff here, but I wanted to give you all everything I possibly could - and fee free to point out all that is wrong. Below are the stats you mat need: Firewall - FBSD 4.1-STABLE ---------------- rc.conf # -- sysinstall generated deltas -- # network_interfaces="fxp0 xl0 lo0" ifconfig_fxp0="inet 10.3.1.1 netmask 255.0.0.0" ifconfig_xl0="DHCP" hostname="firewall.ce.mediaone.net" gateway_enable="YES" defaultrouter="NO" usbd_enable="YES" inetd_flags="wW -R 1024" # Optional flags to inetd ntpdate_flags="ncar.ucar.edu" ntpdate_enable="YES" tcp_extensions="YES" firewall_enable="YES" # Set to YES to enable firewall functionality firewall_type="simple" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # natd_enable="YES" # Enable natd (if firewall_enable == YES). natd_interface="xl0" # Public interface or IPaddress to use. natd_flags="-f /etc/natd.conf" # Additional flags for natd. portmap_enable="NO" # Run the portmapper service (or NO). ------------------ rc.firewall (simple) # set these to your outside interface network and netmask and ip oif="xl0" onet="204.210.189.0" omask="255.255.255.0" oip="204.210.189.38" # set these to your inside interface network and netmask and ip iif="fxp0" inet="10.3.1.0" imask="255.0.0.0" iip="10.3.1.1" # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} #${fwcmd} add pass all from ${inet}:${imask} to ${inet}:${inet} # Stop RFC1918 nets on the outside interface #${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} #${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} #${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} #${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} #${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} #${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${oip} 25 setup # Allow access to our DNS ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any # Allow access to our WWW ${fwcmd} add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside #${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any 53 to ${oip} ${fwcmd} add pass udp from ${oip} to any 53 # Allow NTP queries out in the world ${fwcmd} add pass udp from any 123 to ${oip} Thanks, Chris ------_=_NextPart_001_01C00226.95847E78 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>IRC identing from client through FBSD firewall.</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2 FACE=3D"Courier New">When I access IRC via a windows = box on my internal network, going trough a</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">cable modem, I get this = error:</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Courier New">natd[162]: failed to write = packet back (Permission denied)</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Courier New">This happens when identd is = access. I can get out doing everything I need</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">to, but I just cant get identd = to work.</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">I am using ident2 from the = ports, and have set the auth line in the</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">inetd.conf file. Sorry = for all the stuff here, but I wanted to give you all</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">everything I possibly could - = and fee free to point out all that is wrong.</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Courier New">Below are the stats you mat = need:</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Courier New">Firewall - FBSD = 4.1-STABLE</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Courier New">---------------- rc.conf</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New"># -- sysinstall generated = deltas -- #</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">network_interfaces=3D"fxp0 = xl0 lo0"</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">ifconfig_fxp0=3D"inet = 10.3.1.1 netmask 255.0.0.0"</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier = New">ifconfig_xl0=3D"DHCP"</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier = New">hostname=3D"firewall.ce.mediaone.net"</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier = New">gateway_enable=3D"YES"</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier = New">defaultrouter=3D"NO"</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier = New">usbd_enable=3D"YES"</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">inetd_flags=3D"wW -R = 1024" # Optional flags = to inetd</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier = New">ntpdate_flags=3D"ncar.ucar.edu"</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier = New">ntpdate_enable=3D"YES"</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier = New">tcp_extensions=3D"YES"</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier = New">firewall_enable=3D"YES" = # Set to YES to enable = firewall</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">functionality</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier = New">firewall_type=3D"simple" = # Firewall type (see = /etc/rc.firewall)</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier = New">firewall_quiet=3D"NO" = #</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier = New">natd_enable=3D"YES" &n= bsp; # Enable natd (if = firewall_enable =3D=3D YES).</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier = New">natd_interface=3D"xl0"  = ; # Public interface or IPaddress to = use.</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">natd_flags=3D"-f = /etc/natd.conf" # Additional flags for natd.</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier = New">portmap_enable=3D"NO" = # Run the portmapper service = (or NO).</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Courier New">------------------ rc.firewall = (simple)</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New"># set these to your outside interface network and = netmask and ip</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">oif=3D"xl0"</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">onet=3D"204.210.189.0"</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">omask=3D"255.255.255.0"</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">oip=3D"204.210.189.38"</FONT> </P> <P> <FONT SIZE=3D2 = FACE=3D"Courier New"># set these to your inside interface network and = netmask and ip</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">iif=3D"fxp0"</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">inet=3D"10.3.1.0"</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">imask=3D"255.0.0.0"</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">iip=3D"10.3.1.1"</FONT> </P> <P> <FONT SIZE=3D2 = FACE=3D"Courier New"># Stop spoofing</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add deny all from ${inet}:${imask} to any = in via ${oif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add deny all from ${onet}:${omask} to any = in via ${iif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">#${fwcmd} add pass all from ${inet}:${imask} to = ${inet}:${inet}</FONT> </P> <P> <FONT SIZE=3D2 = FACE=3D"Courier New"># Stop RFC1918 nets on the outside = interface</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">#${fwcmd} add deny all from 10.0.0.0/8 to any via = ${oif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">#${fwcmd} add deny all from any to 10.0.0.0/8 via = ${oif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">#${fwcmd} add deny all from 172.16.0.0/12 to any = via ${oif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">#${fwcmd} add deny all from any to 172.16.0.0/12 = via ${oif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">#${fwcmd} add deny all from 192.168.0.0/16 to any = via ${oif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">#${fwcmd} add deny all from any to 192.168.0.0/16 = via ${oif}</FONT> </P> <P> <FONT SIZE=3D2 = FACE=3D"Courier New"># Stop draft-manning-dsua-01.txt nets on the = outside interface</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add deny all from 0.0.0.0/8 to any via = ${oif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add deny all from any to 0.0.0.0/8 via = ${oif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add deny all from 169.254.0.0/16 to any = via ${oif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add deny all from any to 169.254.0.0/16 = via ${oif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add deny all from 192.0.2.0/24 to any via = ${oif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add deny all from any to 192.0.2.0/24 via = ${oif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add deny all from 224.0.0.0/4 to any via = ${oif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add deny all from any to 224.0.0.0/4 via = ${oif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add deny all from 240.0.0.0/4 to any via = ${oif}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add deny all from any to 240.0.0.0/4 via = ${oif}</FONT> </P> <P> <FONT SIZE=3D2 = FACE=3D"Courier New"># Allow TCP through if setup succeeded</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add pass tcp from any to any = established</FONT> </P> <P> <FONT SIZE=3D2 = FACE=3D"Courier New"># Allow IP fragments to pass through</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add pass all from any to any frag</FONT> </P> <P> <FONT SIZE=3D2 = FACE=3D"Courier New"># Allow setup of incoming email</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add pass tcp from any to ${oip} 25 = setup</FONT> </P> <P> <FONT SIZE=3D2 = FACE=3D"Courier New"># Allow access to our DNS</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add pass tcp from any to ${oip} 53 = setup</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add pass udp from any to ${oip} 53</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add pass udp from ${oip} 53 to any</FONT> </P> <P> <FONT SIZE=3D2 = FACE=3D"Courier New"># Allow access to our WWW</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add pass tcp from any to ${oip} 80 = setup</FONT> </P> <P> <FONT SIZE=3D2 = FACE=3D"Courier New"># Reject&Log all setup of incoming connections = from the outside</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">#${fwcmd} add deny log tcp from any to any in via = ${oif} setup</FONT> </P> <P> <FONT SIZE=3D2 = FACE=3D"Courier New"># Allow setup of any other TCP connection</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add pass tcp from any to any setup</FONT> </P> <P> <FONT SIZE=3D2 = FACE=3D"Courier New"># Allow DNS queries out in the world</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add pass udp from any 53 to ${oip}</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add pass udp from ${oip} to any 53</FONT> </P> <P> <FONT SIZE=3D2 = FACE=3D"Courier New"># Allow NTP queries out in the world</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">${fwcmd} add pass udp from any 123 to = ${oip}</FONT> </P> <BR> <P><FONT SIZE=3D2 FACE=3D"Courier New">Thanks,</FONT> <BR> = <FONT SIZE=3D2 = FACE=3D"Courier New"> Chris</FONT> </P> <BR> </BODY> </HTML> ------_=_NextPart_001_01C00226.95847E78-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7353575D98E0D311834F00508BA0FAC91CECD1>