From owner-freebsd-questions  Mon Aug 13 13:49:34 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from grumpy.dyndns.org (user-24-214-57-209.knology.net [24.214.57.209])
	by hub.freebsd.org (Postfix) with ESMTP id BA0B737B409
	for <freebsd-questions@FreeBSD.ORG>; Mon, 13 Aug 2001 13:49:29 -0700 (PDT)
	(envelope-from dkelly@grumpy.dyndns.org)
Received: (from dkelly@localhost)
	by grumpy.dyndns.org (8.11.3/8.11.4) id f7DKn3q24739;
	Mon, 13 Aug 2001 15:49:03 -0500 (CDT)
	(envelope-from dkelly)
Date: Mon, 13 Aug 2001 15:49:03 -0500
From: David Kelly <dkelly@hiwaay.net>
To: Nick Rogness <nick@rogness.net>
Cc: Adrian Browne <Adrian@nu-earth.demon.co.uk>,
	freebsd-questions@FreeBSD.ORG
Subject: Re: natd[231]: failed to write packet back (Permission denied)
Message-ID: <20010813154903.B24678@grumpy.dyndns.org>
References: <ILEFKPEDALOIGNPOBLHAIEANCFAA.Adrian@nu-earth.demon.co.uk> <Pine.BSF.4.21.0108131450180.26968-100000@cody.jharris.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.21.0108131450180.26968-100000@cody.jharris.com>; from nick@rogness.net on Mon, Aug 13, 2001 at 02:52:40PM -0500
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Mon, Aug 13, 2001 at 02:52:40PM -0500, Nick Rogness wrote:
> On Mon, 13 Aug 2001, Adrian Browne wrote:
> > 
> > natd[231]: failed to write packet back (Permission denied)
> 
> 	Your firewall is blocking something.  Turn on logging and submit
> 	logs.  Both ipfw and nat logs preferred along with your firewall
> 	setup (ipfw -a l) and natd configuration.

Hopefully you have all "deny" rules logging. Then match time stamp
between /var/log/messages and /var/log/security.

If you don't have "deny log" rules then start cloning your denys with a
logging versions inserted just before the original until you find the
problem rule. Multiple xterms running "tail -f", one on each log file,
is also extremely helpful.

While natd may not be able to determine which rule denied the packet on
reinsertion I've often wished natd could at least list the source and
destination address and ports with its error message.

Have wished, but always in the heat of battle when the problem comes up.

-- 
David Kelly N4HHE, dkelly@hiwaay.net
=====================================================================
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message