From owner-freebsd-security Thu Dec 6 0:46:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id 5A64037B405 for ; Thu, 6 Dec 2001 00:46:50 -0800 (PST) Received: from dialup-209.247.143.1.dial1.sanjose1.level3.net ([209.247.143.1] helo=blossom.cjclark.org) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16BuB2-0003Bp-00; Thu, 06 Dec 2001 00:46:44 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fB68kge07238; Thu, 6 Dec 2001 00:46:42 -0800 (PST) (envelope-from cjc) Date: Thu, 6 Dec 2001 00:46:42 -0800 From: "Crist J . Clark" To: Mike D Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw/natd problem? Message-ID: <20011206004642.T3061@blossom.cjclark.org> References: <20011206071926.QTHW27606.mta05-svc.ntlworld.com@there> <20011205233229.R3061@blossom.cjclark.org> <20011206073509.QFVP16633.mta01-svc.ntlworld.com@there> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011206073509.QFVP16633.mta01-svc.ntlworld.com@there>; from d01f1n@yahoo.com on Thu, Dec 06, 2001 at 07:34:57AM +0000 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Dec 06, 2001 at 07:34:57AM +0000, Mike D wrote: > Anyway I can suppress these / log them instead? Should I be getting them at > all - have I forgotten to configure something for natd? It means that packets are getting blocked after they go through natd(8). You can log them by adding 'log' to rule 50000. But that won't stop the messages you are seeing. You can stop the messages by blocking the offending packets before the divert(4) rule. If you don't want to do that, look for 'log_denied' in natd(8). > On Thursday 06 December 2001 7:32 am, Crist J . Clark wrote: > > On Thu, Dec 06, 2001 at 07:19:14AM +0000, Mike D wrote: > > > I'm getting this error all the time since I've set up my FreeBSD 4.4 with > > > ipfw and natd as part of the kernel. > > > > > > Dec 6 00:03:09 host4 natd[195]: failed to write packet back (Permission > > > denied) > > > Dec 6 00:13:53 host4 last message repeated 26 times > > > > > > This is the rules list I have for ipfw: > > > > > > 00050 24 1194 allow ip from any to any via lo0 > > > 00051 0 0 deny ip from any to 127.0.0.0/8 > > > 00052 0 0 deny ip from 127.0.0.0/8 to any > > > 00060 1098 282242 divert 8668 ip from any to any via xl1 > > > 00100 0 0 allow ip from any to any via lo0 > > > 00100 4840 3315967 allow ip from any to any via xl0 > > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > > 00200 1 540 allow udp from 194.168.8.100 53 to any in recv xl1 > > > 00201 37 10088 allow udp from 194.168.4.100 53 to any in recv xl1 > > > 00202 1 59 allow udp from any to 194.168.8.100 53 out xmit xl1 > > > 00203 37 2429 allow udp from any to 194.168.4.100 53 out xmit xl1 > > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > > 00400 39 2232 allow tcp from any to any out xmit xl1 setup > > > 00401 933 257294 allow tcp from any to any via xl1 established > > > 00450 0 0 allow tcp from any to any 22 setup > > > 50000 50 9600 unreach host ip from any to any > > > > There they are. Any of those that went through natd(8) and hit this > > rule will cause that. > > > > > 65535 1 328 deny ip from any to any > > > > > > Any suggestions as to what it could be? I'm really supmped - any help > > > would be appreciated. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message