From owner-freebsd-questions Mon Oct 23 14:22: 6 2000 Delivered-To: freebsd-questions@freebsd.org Received: from bsd1.alaptech.com (cable-225-4-237-24.anchorageak.net [24.237.4.225]) by hub.freebsd.org (Postfix) with ESMTP id E150137B479 for ; Mon, 23 Oct 2000 14:21:42 -0700 (PDT) Received: (from kirk@localhost) by bsd1.alaptech.com (8.11.0/8.9.3) id e9NLJxR02356 for freebsd-questions@freebsd.org; Mon, 23 Oct 2000 13:19:59 -0800 (AKDT) (envelope-from kirk) Date: Mon, 23 Oct 2000 13:19:59 -0800 From: Kirk Brogdon To: freebsd-questions@freebsd.org Subject: natd / tcpdump diag question Message-ID: <20001023131959.A212@bsd1.alaptech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i DisOrganization: ALAP Technology - Chugiak, AK USA Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a repost from a week or so ago with some updated info. . . . 4.1.1 Stable cable modem on fxp0 lan on rl0 (3 Win98 boxes) I started getting flooded with the "natd[]: failed to write packet back, (host is down) messages. I found some archives where Crist Clark said to run tcpdump on the interface and look for arps that weren't getting an answer. I tried that first on the outside net I/F (fxp0 in my case) since that is how I have the natd interface configured in rc.conf (natd_interface="fxp0"). This gave me what appeared to be every arp request for the cable network. I then tried the tcpdump on my lan I/F (rl0) and got the following: 11:31:47.774308 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6 11:32:05.846045 arp who-has bsd1.alaptech.com tell alap2.alaptech.com 11:32:05.846078 arp reply bsd1.alaptech.com is-at 0:e0:29:70:43:5d 11:32:17.774797 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6 11:32:47.774879 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6 11:33:17.775523 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6 I have no idea who 132.17.0.60 is nor why I would see the requests on my lan I/F. I did a traceroute on that IP and got as far as 132.17.120.11 (about 18 hops). If I try and ping 132.17.0.60, it is refused (I assume it is behind a firewall). I did disconnect the lan from the FBSD box and the messages stopped. I was able to track it down to one Win98 machine (by trial and error) but I still don't get it. The mac is not the same as what is in that box (according to Win98 anyway) nor is the IP. The Win98 box seems to be working fine. Why would it be generating these arp requests over and over? Is the card bad? Is someone doing bad things to me? Can anyone tell me what is going on and how I can make it stop? I do have my firewall set to open in rc.conf (that's another issue) should that have anything to do with it. If I set my firewall to simple, the messages go away but my lan doesn't get beyond the FBSD box. Any help diagnosing would be appreciated. On a side note, if anyone could send me an example rule set for a simple IPFW firewall that will allow my 192.168.x.x network (using natd) to browse - I have man'd ipfw and gone through the archives but I haven't had much luck trying the suggestions I have found - I know configuring ipfw rule sets is a right of passage but I could sure use a point in the right direction. Thanks - Kirk -- ALAP Technology PO Box 672298 Chugiak, AK - USA 99567 (907) 688 8843 www.alaptech.com Specializing in Open Source Solutions (but not very well at the moment) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message