From owner-freebsd-ipfw Thu Aug 3 13:26:48 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from pinochet.cityline.ru (pinochet.cityline.ru [195.46.160.34]) by hub.freebsd.org (Postfix) with ESMTP id 41D3037B789 for ; Thu, 3 Aug 2000 13:26:39 -0700 (PDT) (envelope-from oleg_y_ivanov@mailru.com) Received: from admin (140.166.fx.dialup.cityline.ru [195.46.166.140]) by pinochet.cityline.ru (8.10.2/t/08-Oct-1998) with SMTP id e73KLug22196; Fri, 4 Aug 2000 00:21:56 +0400 (MSD) Message-ID: <003c01bffd88$a2df8380$0801a8c0@admin.uzdw-centre.ru> From: "Oleg Y. Ivanov" To: "Shaun Jurrens" Cc: Subject: Re: connections via natd dying in natd Date: Fri, 4 Aug 2000 00:22:53 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hey , I also have this problem =8-((( In my case this message usually appears when ipfw is used in stateful mode & rule with "keep-state" addendum expires.Packet written by natd hits default (or any other ;) "deny" rule. Is this scenario enough realistic ? >>Shaun Jurrens writes: >> I have been struggling with this problem for a number of months, actually. I >> had it using 3-STABLE boxes and now with one 4-STABLE through the 3(.5)-STABLE >> natd gateway, the same problem occurs. The problem: connections via natd >> suddenly drop and similtaneously, I get errors on the console for the gateway >> box that natd has "failed to write the packet back (Permission denied)". This >> is almost exclusively with ssh connections (mostly because they are the most >> constant long time connections I have to notice this behavior) > >Don't know if this is much help, but.. > >"failed to write the packet back (Permission denied)" almost definitely >indicates that the packet being written back hit an 'ipfw deny' packet >filtering rule. This is the only way that a write to a socket can >generate an EPERM error. > >So I'd start by turining on ipfw logging for all deny rules to see >which one is being triggered. > --------------------------------- Sincerely Yours , Oleg Y. Ivanov : sysadmin & DBA of UzDaewoo Centre , Moscow To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message