From owner-freebsd-questions Thu Feb 22 1:13:57 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id C427037B401 for ; Thu, 22 Feb 2001 01:13:54 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 22 Feb 2001 01:08:22 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1M99jc90716; Thu, 22 Feb 2001 01:09:45 -0800 (PST) (envelope-from cjc) Date: Thu, 22 Feb 2001 01:09:43 -0800 From: "Crist J. Clark" To: Kathy Quinlan Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Natd errors Message-ID: <20010222010943.E89396@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <00f901c09c73$7e036e20$fe00a8c0@kat.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00f901c09c73$7e036e20$fe00a8c0@kat.lan>; from katinka@magestower.com on Thu, Feb 22, 2001 at 09:59:02AM +0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Feb 22, 2001 at 09:59:02AM +0800, Kathy Quinlan wrote: > Hi all, > > I have an error coming up on my server, it has only started occurring since > I put natd up (funny that) Well, it would really have been something if you had been getting errors from natd(8) when you were not running it. > The error is as follows: > Feb 22 10:00:05 serverbsd natd[104]: failed to write packet back (Permission > denied) > Feb 22 10:00:36 serverbsd last message repeated 3 times > > and at random intervials, I get up to 40 of these at once. > > Any ideas if any further info is needed I can supply :o) These messages are produced when a translated packet is dropped later in the firewall rules after being processed by natd(8). It is, generally speaking, Not A Good Thing (but not a terribly Bad Thing either). It most often implies that you are either denying replies that were added to the NAT table on the way out or that you are doing some type of redirect and doing the filter after natd. In the first case, you are allowing traffic out, but not letting in the replies back. You probably should be blocking the outgoing traffic in the first place. In the second case, you are better off filtering all you can before natd for both security and performance reasons. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message