Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Jan 2001 23:24:13 -0800
From:      "Crist J. Clark" <cjclark@reflexnet.net>
To:        Bill Moran <wmoran@mail.iowna.com>
Cc:        questions@FreeBSD.ORG
Subject:   Re: SOLVED (Re: natd & failed to write packet back)
Message-ID:  <20010118232412.E66998@rfx-216-196-73-168.users.reflex>
In-Reply-To: <3A67CC45.931BC1C4@mail.iowna.com>; from wmoran@mail.iowna.com on Fri, Jan 19, 2001 at 12:10:29AM -0500
References:  <3A63C754.AEA088A@mail.iowna.com> <001b01c07fd2$d9dd69c0$6100000a@vladsempire.net> <3A67CC45.931BC1C4@mail.iowna.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Jan 19, 2001 at 12:10:29AM -0500, Bill Moran wrote:

[snip]

> In this case, the firewall/proxy/nat machine is also running
> smtp/pop3/nfs/http/dns. In tweaking the firewall rules to allow what I
> wanted to allow, and disallow what I didn't, I somehow got a loop
> started.

Loop? I don't think there was a loop.

> Overall, I'm not sure how to explain -but here's what I found:
> A lot of machines on the internal net were sending out a lot of SNMP
> traffic. This firewall doesn't do SNMP, but the internal inteface was
> basically set up to accept everything.
> Now for some reason, when SNMP messages came in, they were being
> translated (through nat) to the IP of the second interface,

Because the destination address was outside the firewall?

> which would
> then reply that the port wasn't available.

Hmmm... You were getting ICMP port unreachables? Are you sure?

> But nat would turn this into
> "failed to write packet back (permission denyed)"

If the SNMP packets were going through natd on the outer interface and
then being blocked by the firewall, that is the expected message.

> So I put this rule near the beginning:
> 
> add allow ip from ${inet}:${imask} to ${iip} via ${iif}

Now you can't connect to the Internet from your internal machines?
That is a fix? Or do you have some other rules to pass traffic to the
Internet? 
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010118232412.E66998>