From owner-freebsd-security  Sun Nov 26 21: 7: 5 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id CA05937B479
	for <freebsd-security@freebsd.org>; Sun, 26 Nov 2000 21:07:01 -0800 (PST)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Sun, 26 Nov 2000 21:05:19 -0800
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAR56eo74130;
	Sun, 26 Nov 2000 21:06:40 -0800 (PST)
	(envelope-from cjc)
Date: Sun, 26 Nov 2000 21:06:34 -0800
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Nuno Teixeira <nuno.teixeira@pt-quorum.com>
Cc: cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG
Subject: Re: NATD: failed to write packet back (Permission denied)
Message-ID: <20001126210634.O70192@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <003301c05812$0f7deb60$0200a8c0@n2>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <003301c05812$0f7deb60$0200a8c0@n2>; from nuno.teixeira@pt-quorum.com on Mon, Nov 27, 2000 at 01:33:32AM -0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Nov 27, 2000 at 01:33:32AM -0000, Nuno Teixeira wrote:
> Hello,
> 
> 1. Ok. It works. Now I can traceroute others but the outside can't
> traceroute me. The result is:
> 
> "65435 Deny UDP other_server:65302 my_server:33509 in via tun0"

Oh, you wanted to allow traceroutes in? Someone else posted the rules
to allow it in and also mentioned that it is a really big hole to put
in the firewall. But to review, you basically just need to allow the
same stuff in the other direction.

> 2. I found one problem: when I login other computer via FTP and I make a
> "ls" I get the log:
> 
> "65435 Deny TCP ftp_server:20 my_server:49152 in via tun0"
> 
> Does I forgot something?

Your ftp-data connections is being denied. FTP is a ugly, ugly
protocol for firewalls since it uses two channels, i.e. two completely
independent TCP connections. That looks like a failure of an
data-connetion initiated with a PORT command. Use passive (PASV)
FTP. It should work fine.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message