Date: Mon, 08 Nov 1999 19:08:52 -0500 From: John <papalia@UDel.Edu> To: freebsd-questions@freebsd.org Subject: natd: failed to write packet back (permission denied) Message-ID: <4.1.19991108190040.009445c0@mail.udel.edu>
next in thread | raw e-mail | index | archive | help
Hi all,
I've been getting the above natd message for quite some time now - I
believe it's recurred many many many thousand times from the looks of the
log :)
In trying to trouble shoot, I ran natd in verbose mode - all the rejects
are due to writes by 127.0.0.255. I have no idea how to fix this. If I
get rid of /etc/hosts.allow, everything works fine. But, this seemed to be
rather important in setting up Samba. What I have going right now is two
boxes - one windows, one FreeBSD as a 10. subnet. They are connected to
the outside thru my FreeBSD box (interface fxp1) on a static IP address. I
have all the ipfw options compiled into the kernel, natd is started in
/etc/rc.conf. Firewall type currently set to "open".
Any thoughts?
Thanks!!!!
--John Papalia
More information/output is as follows:
merlin# ipfw show
00100 1906013 1239614627 divert 8668 ip from any to any via fxp1
00100 738 111134 allow ip from any to any via lo0
00200 15050 1407642 deny ip from any to 127.0.0.0/8
65000 5803970 4523994054 allow ip from any to any
65100 0 0 allow udp from 10.0.0.0/24 to 127.0.0.1 137
65200 0 0 allow tcp from 10.0.0.0/24 to 127.0.0.1 137
65300 0 0 allow tcp from 10.0.0.0/24 to 127.0.0.0/24 137
65400 0 0 allow tcp from 10.0.0.0/24 to 127.0.0.0/24 138
65500 0 0 allow tcp from 10.0.0.0/24 to 127.0.0.0/24 139
65500 0 0 allow udp from 10.0.0.0/24 to 127.0.0.0/24 137
65500 0 0 allow udp from 10.0.0.0/24 to 127.0.0.0/24 138
65500 0 0 allow udp from 10.0.0.0/24 to 127.0.0.0/24 139
65500 0 0 divert 6668 ip from any to any via tun0
65500 0 0 divert 6668 ip from any to any via fxp1
The first line I tried deleting quite some time ago - I accidentally had
natd in my services file as 8668 instead of 6668. That has been changed.
My /etc/hosts.allow is as follows... I added in the section for natd in the
hopes it would help...
Prevent those with no reverse DNS from connecting.
ALL : PARANOID : RFC931 20 : deny
# Allow anything from localhost
ALL : 127. : allow
ALL : merlin.avalon.com : allow
# Sendmail can help protect you against spammers and relay-rapers
sendmail : localhost : allow
sendmail : ALL : allow
# Portmapper is used for all RPC services; protect your NFS!
# (IP addresses rather than hostnames *MUST* be used here)
portmap : 127.0.0.1 localhost : allow
portmap : 10.0.0.2 .merlin.avalon.com : allow
# Provide a small amount of protection for ftpd
ftpd : localhost : allow
ftpd : ALL : allow
# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
: spawn (echo Finger. | \
/usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
: deny
# Add in access for swat to occur (added 10.26.99)
# Added per SAMBA pdf file
swat : 127.0.0.1 10.0.0. : allow
# Add in access for natd to write back (added 11.6.99)
# Attempting this to fix write back error
natd : 127. 10. : allow
natd : merlin.avalon.com : allow
# The rest of the daemons are protected. Backfinger and log by email.
ALL : ALL \
: severity auth.info : spawn (/usr/bin/finger -l @%h | \
/usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)"
root) & \
: twist /bin/echo "You are not welcome to use %d from %h."
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19991108190040.009445c0>