Date: Wed, 9 Aug 2000 12:23:46 -0500 From: Chris Silva <chris.silva@ADMis.com> To: "'FreeBSD-Questions@FreeBSD.ORG'" <FreeBSD-Questions@FreeBSD.ORG> Subject: IRC identing from client through FBSD firewall. Message-ID: <7353575D98E0D311834F00508BA0FAC91CECD1@chicago.admis.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
When I access IRC via a windows box on my internal network, going trough a
cable modem, I get this error:
natd[162]: failed to write packet back (Permission denied)
This happens when identd is access. I can get out doing everything I need
to, but I just cant get identd to work.
I am using ident2 from the ports, and have set the auth line in the
inetd.conf file. Sorry for all the stuff here, but I wanted to give you all
everything I possibly could - and fee free to point out all that is wrong.
Below are the stats you mat need:
Firewall - FBSD 4.1-STABLE
---------------- rc.conf
# -- sysinstall generated deltas -- #
network_interfaces="fxp0 xl0 lo0"
ifconfig_fxp0="inet 10.3.1.1 netmask 255.0.0.0"
ifconfig_xl0="DHCP"
hostname="firewall.ce.mediaone.net"
gateway_enable="YES"
defaultrouter="NO"
usbd_enable="YES"
inetd_flags="wW -R 1024" # Optional flags to inetd
ntpdate_flags="ncar.ucar.edu"
ntpdate_enable="YES"
tcp_extensions="YES"
firewall_enable="YES" # Set to YES to enable firewall
functionality
firewall_type="simple" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" #
natd_enable="YES" # Enable natd (if firewall_enable == YES).
natd_interface="xl0" # Public interface or IPaddress to use.
natd_flags="-f /etc/natd.conf" # Additional flags for natd.
portmap_enable="NO" # Run the portmapper service (or NO).
------------------ rc.firewall (simple)
# set these to your outside interface network and netmask and ip
oif="xl0"
onet="204.210.189.0"
omask="255.255.255.0"
oip="204.210.189.38"
# set these to your inside interface network and netmask and ip
iif="fxp0"
inet="10.3.1.0"
imask="255.0.0.0"
iip="10.3.1.1"
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
#${fwcmd} add pass all from ${inet}:${imask} to ${inet}:${inet}
# Stop RFC1918 nets on the outside interface
#${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
#${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
#${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
#${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
#${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
#${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-01.txt nets on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
#${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from any 53 to ${oip}
${fwcmd} add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
${fwcmd} add pass udp from any 123 to ${oip}
Thanks,
Chris
[-- Attachment #2 --]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2650.12">
<TITLE>IRC identing from client through FBSD firewall.</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2 FACE="Courier New">When I access IRC via a windows box on my internal network, going trough a</FONT>
<BR><FONT SIZE=2 FACE="Courier New">cable modem, I get this error:</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">natd[162]: failed to write packet back (Permission denied)</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">This happens when identd is access. I can get out doing everything I need</FONT>
<BR><FONT SIZE=2 FACE="Courier New">to, but I just cant get identd to work.</FONT>
<BR><FONT SIZE=2 FACE="Courier New">I am using ident2 from the ports, and have set the auth line in the</FONT>
<BR><FONT SIZE=2 FACE="Courier New">inetd.conf file. Sorry for all the stuff here, but I wanted to give you all</FONT>
<BR><FONT SIZE=2 FACE="Courier New">everything I possibly could - and fee free to point out all that is wrong.</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">Below are the stats you mat need:</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">Firewall - FBSD 4.1-STABLE</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">---------------- rc.conf</FONT>
<BR><FONT SIZE=2 FACE="Courier New"># -- sysinstall generated deltas -- #</FONT>
<BR><FONT SIZE=2 FACE="Courier New">network_interfaces="fxp0 xl0 lo0"</FONT>
<BR><FONT SIZE=2 FACE="Courier New">ifconfig_fxp0="inet 10.3.1.1 netmask 255.0.0.0"</FONT>
<BR><FONT SIZE=2 FACE="Courier New">ifconfig_xl0="DHCP"</FONT>
<BR><FONT SIZE=2 FACE="Courier New">hostname="firewall.ce.mediaone.net"</FONT>
<BR><FONT SIZE=2 FACE="Courier New">gateway_enable="YES"</FONT>
<BR><FONT SIZE=2 FACE="Courier New">defaultrouter="NO"</FONT>
<BR><FONT SIZE=2 FACE="Courier New">usbd_enable="YES"</FONT>
<BR><FONT SIZE=2 FACE="Courier New">inetd_flags="wW -R 1024" # Optional flags to inetd</FONT>
<BR><FONT SIZE=2 FACE="Courier New">ntpdate_flags="ncar.ucar.edu"</FONT>
<BR><FONT SIZE=2 FACE="Courier New">ntpdate_enable="YES"</FONT>
<BR><FONT SIZE=2 FACE="Courier New">tcp_extensions="YES"</FONT>
<BR><FONT SIZE=2 FACE="Courier New">firewall_enable="YES" # Set to YES to enable firewall</FONT>
<BR><FONT SIZE=2 FACE="Courier New">functionality</FONT>
<BR><FONT SIZE=2 FACE="Courier New">firewall_type="simple" # Firewall type (see /etc/rc.firewall)</FONT>
<BR><FONT SIZE=2 FACE="Courier New">firewall_quiet="NO" #</FONT>
<BR><FONT SIZE=2 FACE="Courier New">natd_enable="YES" # Enable natd (if firewall_enable == YES).</FONT>
<BR><FONT SIZE=2 FACE="Courier New">natd_interface="xl0" # Public interface or IPaddress to use.</FONT>
<BR><FONT SIZE=2 FACE="Courier New">natd_flags="-f /etc/natd.conf" # Additional flags for natd.</FONT>
<BR><FONT SIZE=2 FACE="Courier New">portmap_enable="NO" # Run the portmapper service (or NO).</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">------------------ rc.firewall (simple)</FONT>
<BR> <FONT SIZE=2 FACE="Courier New"># set these to your outside interface network and netmask and ip</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">oif="xl0"</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">onet="204.210.189.0"</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">omask="255.255.255.0"</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">oip="204.210.189.38"</FONT>
</P>
<P> <FONT SIZE=2 FACE="Courier New"># set these to your inside interface network and netmask and ip</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">iif="fxp0"</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">inet="10.3.1.0"</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">imask="255.0.0.0"</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">iip="10.3.1.1"</FONT>
</P>
<P> <FONT SIZE=2 FACE="Courier New"># Stop spoofing</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">#${fwcmd} add pass all from ${inet}:${imask} to ${inet}:${inet}</FONT>
</P>
<P> <FONT SIZE=2 FACE="Courier New"># Stop RFC1918 nets on the outside interface</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">#${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">#${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">#${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">#${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">#${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">#${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}</FONT>
</P>
<P> <FONT SIZE=2 FACE="Courier New"># Stop draft-manning-dsua-01.txt nets on the outside interface</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}</FONT>
</P>
<P> <FONT SIZE=2 FACE="Courier New"># Allow TCP through if setup succeeded</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add pass tcp from any to any established</FONT>
</P>
<P> <FONT SIZE=2 FACE="Courier New"># Allow IP fragments to pass through</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add pass all from any to any frag</FONT>
</P>
<P> <FONT SIZE=2 FACE="Courier New"># Allow setup of incoming email</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add pass tcp from any to ${oip} 25 setup</FONT>
</P>
<P> <FONT SIZE=2 FACE="Courier New"># Allow access to our DNS</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add pass tcp from any to ${oip} 53 setup</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add pass udp from any to ${oip} 53</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add pass udp from ${oip} 53 to any</FONT>
</P>
<P> <FONT SIZE=2 FACE="Courier New"># Allow access to our WWW</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add pass tcp from any to ${oip} 80 setup</FONT>
</P>
<P> <FONT SIZE=2 FACE="Courier New"># Reject&Log all setup of incoming connections from the outside</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">#${fwcmd} add deny log tcp from any to any in via ${oif} setup</FONT>
</P>
<P> <FONT SIZE=2 FACE="Courier New"># Allow setup of any other TCP connection</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add pass tcp from any to any setup</FONT>
</P>
<P> <FONT SIZE=2 FACE="Courier New"># Allow DNS queries out in the world</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add pass udp from any 53 to ${oip}</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add pass udp from ${oip} to any 53</FONT>
</P>
<P> <FONT SIZE=2 FACE="Courier New"># Allow NTP queries out in the world</FONT>
<BR> <FONT SIZE=2 FACE="Courier New">${fwcmd} add pass udp from any 123 to ${oip}</FONT>
</P>
<BR>
<P><FONT SIZE=2 FACE="Courier New">Thanks,</FONT>
<BR> <FONT SIZE=2 FACE="Courier New"> Chris</FONT>
</P>
<BR>
</BODY>
</HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7353575D98E0D311834F00508BA0FAC91CECD1>