Date: Fri, 19 Jan 2001 00:10:29 -0500 From: Bill Moran <wmoran@mail.iowna.com> Cc: questions@FreeBSD.ORG Subject: SOLVED (Re: natd & failed to write packet back) Message-ID: <3A67CC45.931BC1C4@mail.iowna.com> References: <3A63C754.AEA088A@mail.iowna.com> <001b01c07fd2$d9dd69c0$6100000a@vladsempire.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Well I figured it out. I'm sending out the explanation for 2 reasons:
1. I'm overjoyed to have it solved and need to tell someone who
understands.
2. Someone else might come across this problem.
The problem was simply this - the "simple" profile.
It works great for a dedicated firewall/proxy/nat machine (I've done it
before) but there are some problems if there are other services running
on this machine.
In this case, the firewall/proxy/nat machine is also running
smtp/pop3/nfs/http/dns. In tweaking the firewall rules to allow what I
wanted to allow, and disallow what I didn't, I somehow got a loop
started. Overall, I'm not sure how to explain -but here's what I found:
A lot of machines on the internal net were sending out a lot of SNMP
traffic. This firewall doesn't do SNMP, but the internal inteface was
basically set up to accept everything.
Now for some reason, when SNMP messages came in, they were being
translated (through nat) to the IP of the second interface, which would
then reply that the port wasn't available. But nat would turn this into
"failed to write packet back (permission denyed)"
So I put this rule near the beginning:
add allow ip from ${inet}:${imask} to ${iip} via ${iif}
(Previously, the rule was: add allow ip from any to any via ${iif} )
This quieted everything right down. The snmp packets are still coming in
and being denyed, but they don't go through the firewall and get
reported as errors.
TADA!
Sheese ... firewalls are tricky!
More than anything, I'm surprised at the amount of traffic that this
thing is handling - I'm seeing FTP connections - for no reason that I
can gather? Someone portscanning? Hmm ...
-Bill
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A67CC45.931BC1C4>