From owner-freebsd-questions Fri Sep 28 9:23:21 2001 Delivered-To: freebsd-questions@freebsd.org Received: from pioneernet.net (mail.pioneernet.net [207.115.64.224]) by hub.freebsd.org (Postfix) with ESMTP id 2A85F37B409 for ; Fri, 28 Sep 2001 09:23:10 -0700 (PDT) Received: from chip.wiegand.org [66.114.152.128] by pioneernet.net (SMTPD32-6.06) id A3ED3B7600EA; Fri, 28 Sep 2001 09:23:09 -0700 Content-Type: text/plain; charset="iso-8859-1" From: Chip To: freebsd-questions@FreeBSD.ORG Subject: natd permission denied on bootup Date: Fri, 28 Sep 2001 09:26:19 -0700 X-Mailer: KMail [version 1.2] MIME-Version: 1.0 Message-Id: <01092809261905.96094@chip.wiegand.org> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I am setting up another machine to replace my currant firewall/natd box. I have installed 4.4-release, recompiled the kernel for firewall & ipdivert, set up the rc.firewall, natd.conf, rc.conf, resolv.conf files. Both nics ping each other and other machines on the inside network, and answer to pings from other machines inside the network. When the machine boots up I get the following messages: natd: failed to write packet back (permission denied) routed: send bcast sendto(xl0): permission denied starting final network daemons: firewall, routed: sendto(dc0): permission denied. Any ideas what's going one here? I have verified all the files with the existing firewall box and it's been working fine for a couple years. I have included the relevant files text below. Here's a bit of my dmesg, unfortunately, it didn't go long enough to show the errors (the ones mentioned above): ------------------------------------- Copyright (c) 1992-2001 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.4-RELEASE #0: Thu Sep 27 19:58:43 GMT 2001 root@firewall.wiegand.org:/usr/src/sys/compile/WIEGAND xl0: <3Com 3c905B-TX Fast Etherlink XL> port 0xf400-0xf47f mem 0xffadff80-0xffadffff irq 11 at device 9.0 on pci0 xl0: Ethernet address: 00:50:da:06:ef:1f miibus0: on xl0 ukphy0: on miibus0 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc0: port 0xf600-0xf6ff mem 0xffadfe00-0xffadfeff irq 10 at device 11.0 on pci0 dc0: Ethernet address: 00:a0:cc:e4:87:a5 miibus1: on dc0 dcphy0: on miibus1 dcphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto IP packet filtering initialized, divert enabled, rule-based forwarding disabled, default to deny, logging limited to 100 packets/entry by default ad0: 3089MB [6278/16/63] at ata0-master UDMA33 (null): MODE_SENSE_BIG - UNIT ATTENTION asc=29 ascq=00 error=04 acd0: CDROM at ata0-slave using PIO0 Mounting root from ufs:/dev/ad0s1a -- ------------------------------------------- Here's ifconfig -a --------------------------------------------- xl0: flags=8843 mtu 1500 inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::250:daff:fe06:ef1f%xl0 prefixlen 64 scopeid 0x1 ether 00:50:da:06:ef:1f media: Ethernet autoselect (10baseT/UTP) status: active dc0: flags=8843 mtu 1500 inet 66.114.152.128 netmask 0xfffff800 broadcast 66.114.159.255 inet6 fe80::2a0:ccff:fee4:87a5%dc0 prefixlen 64 scopeid 0x2 ether 00:a0:cc:e4:87:a5 media: Ethernet autoselect (10baseT/UTP) status: active lp0: flags=8810 mtu 1500 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8000 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff000000 ---------------------------------------------- Here's natd.conf ---------------------------------------------- use_sockets yes port 8668 log unregistered_only redirect_port tcp 192.168.1.14:80 80 ---------------------------------------------- Here's netstat -rn ---------------------------------------------- Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 66.114.152.1 UGSc 5 53 dc0 66.114.152/21 link#2 UC 2 0 dc0 66.114.152.1 link#2 UHLW 3 0 dc0 66.114.159.255 ff:ff:ff:ff:ff:ff UHLWb 0 1 dc0 127.0.0.1 127.0.0.1 UH 0 0 lo0 192.168.1 link#1 UC 0 0 xl0 ---------------------------------------------- Here's rc.conf ---------------------------------------------- # -- sysinstall generated deltas -- # Tue Sep 25 22:38:43 2001 # Created: Tue Sep 25 22:38:43 2001 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. network_interfaces="xl0 dc0 lo0" firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="open" gateway_enable="YES" natd_interface="dc0" natd_enable="YES" natd_flags="-f /etc/natd.conf" router_enable="YES" defaultrouter="66.114.152.1" hostname="firewall.wiegand.org" ifconfig_xl0="inet 192.168.1.10 netmask 255.255.255.0" ifconfig_dc0="inet 66.114.152.128 netmask 255.255.248.0" moused_enable="YES" moused_port="/dev/cuaa1" moused_type="mouseman" sendmail_enable="NO" sshd_enable="YES" ------------------------------------------------ Here's rc.firewall ------------------------------------------------ # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi if [ -n "${1}" ]; then firewall_type="${1}" fi fwcmd="/sbin/ipfw" # Outside nic oif="dc0" onet="66.114.152.0" omask="255.255.255.128" oip="66.114.152.128" # Inside nic iif="xl0" inet="192.168.1.0" imask="255.255.255.0" iip="192.168.1.10" # ISP's DNS numbers dns1="207.115.64.222" dns2="207.115.64.223" ${fwcmd} -f flush # allow loopbacks, deny imposters $[fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Natd ${fwcmd} add divert natd all from any to any via ${natd_interface} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${oip} 25 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any to ${dns1} 53 keep-state ${fwcmd} add pass udp from any to ${dns2} 53 keep-state ${fwcmd} add pass udp from ${dns1} 53 to any ${fwcmd} add pass udp from ${dns2} 53 to any # Allow local SMB traffic ${fwcmd} add pass udp from any to any 137-139 via ${iif} # Allow inside machines to log to us ${fwcmd} add pass log udp from any to any 514 via ${iif} # Allow outbound traceroute ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} # Allow all icmp on internal ${fwcmd} add pass icmp from any to any via ${iif} # Allow outbound pings ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} # Allow other icmp types ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} # Deny all other icmp types ${fwcmd} add deny icmp from any to any # Reject broadcasts from the oif ${fwcmd} add 63000 deny ip from any 0.0.0.255:0.0.0.255 in via ${oif} # Reject and log smb connections from oif ${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif} # Reject and log all other connections from oif ${fwcmd} add 65000 deny log ip from any to any via ${oif} # Everything else is denied by default in the kernel WIEGAND -------------------------------------------------- Thanks for your assistance, -- Chip W. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message