From owner-freebsd-security  Thu Jan 27  0:20:37 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mta1.snfc21.pbi.net (mta1.snfc21.pbi.net [206.13.28.122])
	by hub.freebsd.org (Postfix) with ESMTP id 5FBA7155CA
	for <freebsd-security@freebsd.org>; Thu, 27 Jan 2000 00:20:34 -0800 (PST)
	(envelope-from madscientist@thegrid.net)
Received: from remus ([63.193.246.169])
 by mta1.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8)
 with SMTP id <0FOZ00HVYIZ5M7@mta1.snfc21.pbi.net> for
 freebsd-security@freebsd.org; Thu, 27 Jan 2000 00:16:18 -0800 (PST)
Date: Thu, 27 Jan 2000 00:16:55 -0800
From: The Mad Scientist <madscientist@thegrid.net>
Subject: Re: Riddle me this
In-reply-to: <200001270355.UAA01355@lariat.lariat.org>
X-Sender: i289861@mail.thegrid.net
To: freebsd-security@freebsd.org
Message-id: <4.1.20000127000531.0096ab30@mail.thegrid.net>
MIME-version: 1.0
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1
Content-type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 08:55 PM 1/26/00 -0700, you wrote:
>Jan 26 15:23:49 victim natd[125]: failed to write packet back (No route to 
>host)
>
>Maybe I'm just dense this evening and the cause of the message is obvious, but
>I can't figure out what would have generated this message. The system has a
>static default route to the upstream ISP's router.
>
>Is this a side effect of the rules I added? Or of something else?
>
>--Brett Glass

This is an entirely different issue AFAIK.  If you see some correlation,
change the rules to 
00049 deny log ip from 224.0.0.0/4 to any via any 
00050 deny log ip from any to 224.0.0.0/4 via any
and see if you get any messages in syslog just before the failure messages.

Natd on my router has gone out to lunch like this a few times in the year
or so that I have been running.  I am not sure what caused it -- possibly
me hammering the connection (and my poor no-math-coprocesser-having 486
firewall) or my upstream router deciding that it didn't like my traffic for
a while.  I have an inkling that it was Pac Bell's routers, but I can not
confirm that.  I'm waiting for it to do that again, so I can truss natd or
test the connection on my windows machine.

At any rate, I like logging on most of my deny rules.  You see all kinds of
neat stuff even on a home DSL connection.

-Dean


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message