From owner-freebsd-ipfw Wed Aug 2 16:45:55 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mta01.chello.no (mta01.chello.no [212.186.255.12]) by hub.freebsd.org (Postfix) with ESMTP id A81C637B635 for ; Wed, 2 Aug 2000 16:45:48 -0700 (PDT) (envelope-from shaun@shamz.net) Received: from johnny.priv.shamz.net ([213.46.212.80]) by mta01.chello.no (InterMail vK.4.02.00.00 201-232-116 license 77df2db80a2bdce4d335ff4839618d42) with ESMTP id <20000802234615.HJVR27441.mta01@johnny.priv.shamz.net> for ; Thu, 3 Aug 2000 01:46:15 +0200 Received: from dakota.priv.shamz.net (dakota.priv.shamz.net [192.168.0.24]) by johnny.priv.shamz.net (8.9.3/8.9.3) with ESMTP id BAA24002 for ; Thu, 3 Aug 2000 01:45:44 +0200 (CEST) (envelope-from shaun@dakota.priv.shamz.net) Received: (from shaun@localhost) by dakota.priv.shamz.net (8.9.3/8.9.3) id BAA03653 for freebsd-ipfw@FreeBSD.ORG; Thu, 3 Aug 2000 01:45:44 +0200 (CEST) (envelope-from shaun) Date: Tue, 1 Aug 2000 01:17:09 +0200 From: Shaun Jurrens To: freebsd-ipfw@FreeBSD.ORG Subject: connections via natd dying in natd Message-ID: <20000801011709.B4159@dakota.priv.shamz.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi all, I have been struggling with this problem for a number of months, actually. I had it using 3-STABLE boxes and now with one 4-STABLE through the 3(.5)-STABLE natd gateway, the same problem occurs. The problem: connections via natd suddenly drop and similtaneously, I get errors on the console for the gateway box that natd has "failed to write the packet back (Permission denied)". This is almost exclusively with ssh connections (mostly because they are the most constant long time connections I have to notice this behavior) I have searched the lists and done the arp -s to set a permanent arp setting on all interfaces. I am also on a cable modem (chello). Even stranger, if I don't wait for the session to time out and kill the xterm, the connection stays up on the foreign host for _days_ (there are currently zombie sessions alive that are more than a week old). I do _not_ have the same behavior if I log to/from the gateway box to/from a foreign host. I find this more than a little disturbing. Well, down to the OS specifics: FreeBSD johnny 3.5-STABLE FreeBSD 3.5-STABLE #0: Sat Jun 24 23:35:28 CEST 2000 natd_flags="-f /etc/natd.conf" /etc/natd.conf log yes unregistered_only yes use_sockets yes dynamic yes interface xl0 some relevant sysctl's: net.inet.ip.fw.enable: 1 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 100 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 230 net.inet.ip.fw.dyn_max: 1000 net.inet.ip.fw.dyn_ack_lifetime: 1320 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 20 net.inet.ip.fw.dyn_rst_lifetime: 5 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.tcp.rfc1323: 1 net.inet.tcp.rfc1644: 0 net.inet.tcp.mssdflt: 512 net.inet.tcp.rttdflt: 3 net.inet.tcp.keepidle: 1200 net.inet.tcp.keepintvl: 150 net.inet.tcp.sendspace: 16384 net.inet.tcp.recvspace: 16384 net.inet.tcp.keepinit: 150 net.inet.tcp.log_in_vain: 1 net.inet.tcp.delayed_ack: 1 net.inet.tcp.restrict_rst: 1 net.inet.tcp.pcbcount: 23 net.inet.tcp.always_keepalive: 1 An additional and perhaps related problem is one with passive ftp. I should probably take an entire mail for it alone, but suffice it to say, active ftp works if I open the ports, but passive ftp causes the same failed packet errors. I know how passive ftp works and if I open ports from > 1024 to those (at least for fbsd ftpd's) on the server 49152-65535, I should be able to initiate a data channel. Well, I have had no success. The rule that I propose should work, looks like this: $fwcmd add 10202 allow tcp from ${intnet}:${intmask} 1025-65535 to any 49152-65535 setup keep-state (wrapped here with ) I've tried to tcpdump the connections, but it's a little difficult to watch so many things at the same time: natd aliases, two tcpdumps, and fw rules. I don't see anything hitting a rule either. The first problem is more aggrevating. The second one I have a awkward hack for. Guess I could use some suggestions from people more knowledgeable than I.... A final plea as long as I'm begging anyway: Could someone fix the mailing list search engine? If I can help with it let me know. I use it often, and it is a constant source of frustration, because it is so broken. I'd appreciate a CC as well, because I prefer to track the lists via web. Thanks in advance for any assistance. -- Yours truly, Shaun D. Jurrens shaun@shamz.net shamz@freenix.no IRCNET nick: shamz #chillout #unix #FreeBSD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message