IRC identing from client through FBSD firewall.

From owner-freebsd-questions Wed Aug 9 10:22:17 2000 Delivered-To: freebsd-questions@freebsd.org Received: from chicago.ADMis.com (chicago.admis.com [208.192.111.99]) by hub.freebsd.org (Postfix) with SMTP id AD1AD37BEEE for ; Wed, 9 Aug 2000 10:22:02 -0700 (PDT) (envelope-from chris.silva@admis.com) Received: From CHICAGO.ADMIS.COM (182.168.181.229[182.168.181.229 port:3887]) by chicago.ADMis.com (Mail essentials server 2.421) with SMTP id: <10689@chicago.ADMis.com> for 8/9/00 12:23:51 PM -0500 Received: by chicago.admis.com with Internet Mail Service (5.5.2650.21) id ; Wed, 9 Aug 2000 12:23:51 -0500 Message-ID: <7353575D98E0D311834F00508BA0FAC91CECD1@chicago.admis.com> From: Chris Silva To: "'FreeBSD-Questions@FreeBSD.ORG'" Subject: IRC identing from client through FBSD firewall. Date: Wed, 9 Aug 2000 12:23:46 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C00226.95847E78" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C00226.95847E78 Content-Type: text/plain; charset="iso-8859-1" When I access IRC via a windows box on my internal network, going trough a cable modem, I get this error: natd[162]: failed to write packet back (Permission denied) This happens when identd is access. I can get out doing everything I need to, but I just cant get identd to work. I am using ident2 from the ports, and have set the auth line in the inetd.conf file. Sorry for all the stuff here, but I wanted to give you all everything I possibly could - and fee free to point out all that is wrong. Below are the stats you mat need: Firewall - FBSD 4.1-STABLE ---------------- rc.conf # -- sysinstall generated deltas -- # network_interfaces="fxp0 xl0 lo0" ifconfig_fxp0="inet 10.3.1.1 netmask 255.0.0.0" ifconfig_xl0="DHCP" hostname="firewall.ce.mediaone.net" gateway_enable="YES" defaultrouter="NO" usbd_enable="YES" inetd_flags="wW -R 1024" # Optional flags to inetd ntpdate_flags="ncar.ucar.edu" ntpdate_enable="YES" tcp_extensions="YES" firewall_enable="YES" # Set to YES to enable firewall functionality firewall_type="simple" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # natd_enable="YES" # Enable natd (if firewall_enable == YES). natd_interface="xl0" # Public interface or IPaddress to use. natd_flags="-f /etc/natd.conf" # Additional flags for natd. portmap_enable="NO" # Run the portmapper service (or NO). ------------------ rc.firewall (simple) # set these to your outside interface network and netmask and ip oif="xl0" onet="204.210.189.0" omask="255.255.255.0" oip="204.210.189.38" # set these to your inside interface network and netmask and ip iif="fxp0" inet="10.3.1.0" imask="255.0.0.0" iip="10.3.1.1" # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} #${fwcmd} add pass all from ${inet}:${imask} to ${inet}:${inet} # Stop RFC1918 nets on the outside interface #${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} #${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} #${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} #${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} #${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} #${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${oip} 25 setup # Allow access to our DNS ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any # Allow access to our WWW ${fwcmd} add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside #${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any 53 to ${oip} ${fwcmd} add pass udp from ${oip} to any 53 # Allow NTP queries out in the world ${fwcmd} add pass udp from any 123 to ${oip} Thanks, Chris ------_=_NextPart_001_01C00226.95847E78 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable IRC identing from client through FBSD firewall.

When I access IRC via a windows = box on my internal network, going trough a
cable modem, I get this = error:

natd[162]: failed to write = packet back (Permission denied)

This happens when identd is = access. I can get out doing everything I need
to, but I just cant get identd = to work.
I am using ident2 from the = ports, and have set the auth line in the
inetd.conf file. Sorry = for all the stuff here, but I wanted to give you all
everything I possibly could - = and fee free to point out all that is wrong.

Below are the stats you mat = need:

Firewall - FBSD = 4.1-STABLE

---------------- rc.conf
# -- sysinstall generated = deltas -- #
network_interfaces=3D"fxp0 = xl0 lo0"
ifconfig_fxp0=3D"inet = 10.3.1.1 netmask 255.0.0.0"
ifconfig_xl0=3D"DHCP"
hostname=3D"firewall.ce.mediaone.net"
gateway_enable=3D"YES"
defaultrouter=3D"NO"
usbd_enable=3D"YES"
inetd_flags=3D"wW -R = 1024"        # Optional flags = to inetd
ntpdate_flags=3D"ncar.ucar.edu"
ntpdate_enable=3D"YES"
tcp_extensions=3D"YES"
firewall_enable=3D"YES"   =         # Set to YES to enable = firewall
functionality
firewall_type=3D"simple" =         # Firewall type (see = /etc/rc.firewall)
firewall_quiet=3D"NO"     =         #
natd_enable=3D"YES"      &n= bsp;        # Enable natd (if = firewall_enable =3D=3D YES).
natd_interface=3D"xl0"      = ;      # Public interface or IPaddress to = use.
natd_flags=3D"-f = /etc/natd.conf" # Additional flags for natd.
portmap_enable=3D"NO"     =         # Run the portmapper service = (or NO).

------------------ rc.firewall = (simple)
        # set these to your outside interface network and = netmask and ip
        oif=3D"xl0"
        onet=3D"204.210.189.0"
        omask=3D"255.255.255.0"
        oip=3D"204.210.189.38"

        # set these to your inside interface network and = netmask and ip
        iif=3D"fxp0"
        inet=3D"10.3.1.0"
        imask=3D"255.0.0.0"
        iip=3D"10.3.1.1"

        # Stop spoofing
        ${fwcmd} add deny all from ${inet}:${imask} to any = in via ${oif}
        ${fwcmd} add deny all from ${onet}:${omask} to any = in via ${iif}
        #${fwcmd} add pass all from ${inet}:${imask} to = ${inet}:${inet}

        # Stop RFC1918 nets on the outside = interface
        #${fwcmd} add deny all from 10.0.0.0/8 to any via = ${oif}
        #${fwcmd} add deny all from any to 10.0.0.0/8 via = ${oif}
        #${fwcmd} add deny all from 172.16.0.0/12 to any = via ${oif}
        #${fwcmd} add deny all from any to 172.16.0.0/12 = via ${oif}
        #${fwcmd} add deny all from 192.168.0.0/16 to any = via ${oif}
        #${fwcmd} add deny all from any to 192.168.0.0/16 = via ${oif}

        # Stop draft-manning-dsua-01.txt nets on the = outside interface
        ${fwcmd} add deny all from 0.0.0.0/8 to any via = ${oif}
        ${fwcmd} add deny all from any to 0.0.0.0/8 via = ${oif}
        ${fwcmd} add deny all from 169.254.0.0/16 to any = via ${oif}
        ${fwcmd} add deny all from any to 169.254.0.0/16 = via ${oif}
        ${fwcmd} add deny all from 192.0.2.0/24 to any via = ${oif}
        ${fwcmd} add deny all from any to 192.0.2.0/24 via = ${oif}
        ${fwcmd} add deny all from 224.0.0.0/4 to any via = ${oif}
        ${fwcmd} add deny all from any to 224.0.0.0/4 via = ${oif}
        ${fwcmd} add deny all from 240.0.0.0/4 to any via = ${oif}
        ${fwcmd} add deny all from any to 240.0.0.0/4 via = ${oif}

# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any = established

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 = setup

        # Allow access to our DNS
        ${fwcmd} add pass tcp from any to ${oip} 53 = setup
        ${fwcmd} add pass udp from any to ${oip} 53
        ${fwcmd} add pass udp from ${oip} 53 to any

# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 = setup

# Reject&Log all setup of incoming connections = from the outside
#${fwcmd} add deny log tcp from any to any in via = ${oif} setup

# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup

        # Allow DNS queries out in the world
        ${fwcmd} add pass udp from any 53 to ${oip}
        ${fwcmd} add pass udp from ${oip} to any 53

# Allow NTP queries out in the world
${fwcmd} add pass udp from any 123 to = ${oip}

Thanks,
= Chris

------_=_NextPart_001_01C00226.95847E78-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message