Date: Sat, 2 Dec 2000 13:11:37 -0800 (PST) From: Gordon Tetlow <gordont@bluemtn.net> To: Frederik Meerwaldt <frederik@freddym.org> Cc: freebsd-hackers@freebsd.org Subject: Re: natd bug Message-ID: <Pine.BSF.4.05.10012021305030.24235-200000@sdmail0.sd.bmarts.com> In-Reply-To: <Pine.BSF.4.21.0011302021590.20212-100000@server.wes.mee.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] I'll add another data point if I can. I also get this message from my working firewall box. I get it even when all the machines behind the firewall are powered down. And I get it alot. Attached are my firewall rules and dmesg. -gordon Also, here are the arguments I pass to natd: /sbin/natd -dynamic -unregistered_only -use_sockets -punch_fw 3850:10 -n vx0 On Thu, 30 Nov 2000, Frederik Meerwaldt wrote: > Date: Thu, 30 Nov 2000 20:25:15 +0100 (CET) > From: Frederik Meerwaldt <frederik@freddym.org> > To: freebsd-hackers@freebsd.org > Subject: natd bug > > Hi there! > > I was just looking why my natd doesnt work, when I discovered the > following bug (?): > > I compiled my kernel with IPDIVERT IPFIREWALL and > IPFIREWALL_DEFAULT_TO_ACCEPT and I set up only one rule: > ipfw add divert natd all from any to any via isp0 > Then I started natd (at boot time): > natd -unregistered_only -dynamic -n isp0 > But when a package arrives (doesn't matter from localhost or another > host), natd gives out a kernel message: > > Nov 30 15:03:06 server natd[195]: failed to write packet back (Permission > denied) > > What does that mean? I started natd from my rc.local, so it runs as root > and it should have all permissions. > > Thanks in advance! > Best Regards, > Freddy > > -- > Geek Code 3.1: GCS s+: a--- C+++ UBOU+++ P-- E--- W++ N w--- V++ PGP- t? 5? tv > > ===================================================================== > Frederik Meerwaldt ICQ: 83045387 Homepage: http://www.freddym.org > Bavaria/Germany OpenVMS and Unix Howtos and much more > FreeBSD, NetBSD, OpenBSD, Tru64, OpenVMS, Ultrix, BeOS, Linux > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > [-- Attachment #2 --] gordont@hobbes:~$ su - Password: hobbes# ipfw list 00100 allow ip from any to any via lo0 00150 allow ip from 127.0.0.1 to 127.0.0.1 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 192.168.5.0/24 to any in recv vx0 00400 deny ip from 192.168.6.0/24 to any in recv vx0 00500 deny ip from 24.30.140.0/24 to any in recv xl0 00600 deny ip from 24.30.140.0/24 to any in recv wi0 00700 deny ip from any to 10.0.0.0/8 via vx0 00800 deny ip from any to 172.16.0.0/12 via vx0 00900 deny ip from any to 192.168.0.0/16 via vx0 01000 deny ip from any to 0.0.0.0/8 via vx0 01100 deny ip from any to 169.254.0.0/16 via vx0 01200 deny ip from any to 192.0.2.0/24 via vx0 01300 deny ip from any to 224.0.0.0/4 via vx0 01400 deny ip from any to 240.0.0.0/4 via vx0 01500 divert 8668 ip from any to any via vx0 01600 deny ip from 10.0.0.0/8 to any via vx0 01700 deny ip from 172.16.0.0/12 to any via vx0 01800 deny ip from 192.168.0.0/16 to any via vx0 01900 deny ip from 0.0.0.0/8 to any via vx0 02000 deny ip from 169.254.0.0/16 to any via vx0 02100 deny ip from 192.0.2.0/24 to any via vx0 02200 deny ip from 224.0.0.0/4 to any via vx0 02300 deny ip from 240.0.0.0/4 to any via vx0 02400 allow tcp from any to any established 02500 allow ip from any to any frag 02600 allow tcp from any to 24.30.140.55 53 setup 02700 allow udp from any to 24.30.140.55 53 02800 allow udp from 24.30.140.55 53 to any 02900 allow tcp from any to 192.168.5.1 53 setup 03000 allow udp from any to 192.168.5.1 53 03100 allow udp from 192.168.5.1 53 to any 03200 allow tcp from any to 192.168.6.1 53 setup 03300 allow udp from any to 192.168.6.1 53 03400 allow udp from 192.168.6.1 53 to any 03500 allow tcp from any to 24.30.140.55 80 setup 03600 allow tcp from any to 24.30.140.55 22 setup 03700 allow tcp from any to 24.30.140.55 113 setup 03800 allow icmp from any to any 03900 deny log logamount 100 tcp from any to any in recv vx0 setup 04000 allow tcp from any to any setup 04100 allow udp from any 53 to 24.30.140.55 04200 allow udp from 24.30.140.55 to any 53 04300 allow udp from any 123 to 24.30.140.55 04400 allow udp from 24.30.140.55 to any 123 65535 deny ip from any to any hobbes# dmesg Copyright (c) 1992-2000 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.2-RELEASE #4: Fri Dec 1 01:48:57 PST 2000 root@hobbes.obfuscated.org:/usr/src/sys/compile/HOBBES Timecounter "i8254" frequency 1193182 Hz Timecounter "TSC" frequency 199432868 Hz CPU: Pentium Pro (199.43-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x617 Stepping = 7 Features=0xf9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV> real memory = 100663296 (98304K bytes) avail memory = 94855168 (92632K bytes) Preloaded elf kernel "kernel" at 0xc0303000. Pentium Pro MTRR support enabled md0: Malloc disk npx0: <math processor> on motherboard npx0: INT 16 interface pcib0: <Host to PCI bridge> on motherboard pci0: <PCI bus> on pcib0 isab0: <Intel 82371SB PCI to ISA bridge> at device 7.0 on pci0 isa0: <ISA bus> on isab0 atapci0: <Intel PIIX3 ATA controller> port 0xffa0-0xffaf at device 7.1 on pci0 ata0: at 0x1f0 irq 14 on atapci0 ata1: at 0x170 irq 15 on atapci0 pci0: <Matrox MGA Millennium 2064W graphics accelerator> at 11.0 irq 11 vx0: <3COM 3C590 Etherlink III PCI> port 0xff80-0xff9f irq 10 at device 17.0 on pci0 utp[*utp*] address 00:a0:24:c6:17:d9 vx0: driver is using old-style compatability shims xl0: <3Com 3c900B-TPO Etherlink XL> port 0xfc80-0xfcff mem 0xffbebc00-0xffbebc7f irq 10 at device 19.0 on pci0 xl0: Ethernet address: 00:50:04:80:ec:b4 xl0: selecting 10baseT transceiver, half duplex fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0 fdc0: FIFO enabled, 8 bytes threshold fd0: <1440-KB 3.5" drive> on fdc0 drive 0 atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0 atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0 kbd0 at atkbd0 psm0: <PS/2 Mouse> irq 12 on atkbdc0 psm0: model Generic PS/2 mouse, device ID 0 vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 sc0: <System console> at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> pcic0: <Vadem 469> at port 0x3e0 iomem 0xd0000 on isa0 pcic0: Polling mode pccard0: <PC Card bus -- kludge version> on pcic0 pccard1: <PC Card bus -- kludge version> on pcic0 sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 sio0: type 16550A sio1 at port 0x2f8-0x2ff irq 3 on isa0 sio1: type 16550A IP packet filtering initialized, divert enabled, rule-based forwarding disabled, default to deny, logging limited to 100 packets/entry by default ad0: 2441MB <WDC AC32500H> [4960/16/63] at ata0-master WDMA2 ad1: 4103MB <ST34321A> [8894/15/63] at ata0-slave WDMA2 acd0: CDROM <TOSHIBA CD-ROM XM-6602B> at ata1-master using WDMA2 Mounting root from ufs:/dev/ad0s1a pccard: card inserted, slot 0 wi0: <WaveLAN/IEEE 802.11> at port 0x240-0x27f irq 5 slot 0 on pccard0 wi0: Ethernet address: 00:60:1d:03:ed:05 ipfw: 3900 Deny TCP 24.13.101.127:1325 24.30.140.55:1234 in via vx0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.10012021305030.24235-200000>