Date: Sun, 26 Aug 2001 13:35:09 +0200 From: OliNether <olinether@blacktrap.net> To: FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: natd[175]: failed to write packet back (Permission denied) Message-ID: <20010826133509.A1321@blacktrap.net>
next in thread | raw e-mail | index | archive | help
Hi,
I'm sure this is a stupid question, but I can't figure what's going on here.
I have a VPN setup with a ssh tunnel over ppp, and directed to a couple
FreeBSD boxen at work etc.. A couple weeks ago I started to get many of
the following messages in the system log, every couple seconds or so :
natd[175]: failed to write packet back (Permission denied)
sshd[312]: fatal: Write failed: Permission denied
So I checked /var/log/security and noticed that this rule was blocking the
packets :
# Stop RFC1918 nets on the outside interface
add deny log all from any to 192.168.0.0/16 via EXTERN_IFACE
(where EXTERN_IFACE is my external NIC, ed0)
Here is an example of what was in /var/log/security :
/kernel: ipfw: 1400 Deny TCP xxx.xx.218.22:1602 192.168.66.8:80 out via ed0
And many of the same kind of lines with different ports and different source
IP's and VPN destination IP's. This doesn't look suspicious since xxx.xx.218.22,
for example, is the IP of one of the computers I am connected to through the
VPN, and 192.168.66 is the subnetwork for the VPN IP's.
So it looks like a computer from the VPN is trying to reach another one
through the VPN, but this is weird though ed0, since the VPN interfaces are
tun0 etc..
Then I changed the rule in the firewall to
add deny log all from any to 192.168.0.0/16 in via EXTERN_IFACE
to avoid those annoying messages but I'm not sure this is safe to do?
And what could cause the packets to go through ed0 instead of the relevant tun ?
There are other rules before in the firewall to allow normal VPN packets to
pass :
add allow all from 192.168.0.0/16 to 192.168.0.0/16 via tun0
... and same for the other tun's
Here is an example of how my ppp.conf looks for the different hosts I am
connected to :
yavin:
# my end: 66.1, yavin end: 66.2
set ifaddr 192.168.66.1 192.168.66.2 255.255.255.255
# routing
add 192.168.4.0/24 HISADDR
set timeout 0
And the corresponding ppp.conf on yavin for example. (ghost is my computer,
which could be seen as acting like a HUB box for the different VPN comps)
ghost:
set device "!ssh -i /etc/ppp/ppp.key xxx.xxx.20.230"
set ifaddr 192.168.66.4 192.168.66.3 255.255.255.255
add 192.168.1.0/24 HISADDR
set dial
set timeout 0
And the relevant output of 'netstat -rn' on my computer :
root@ghost:/etc# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default xxx.xxx.20.1 UGSc 14 120 ed0
127.0.0.1 127.0.0.1 UH 4 1301 lo0
xxx.xxx.20/24 link#1 UC 0 0 ed0 =>
192.168.0.128/25 192.168.66.12 UGSc 0 320 tun3
192.168.1 link#2 UC 0 0 dc0 =>
192.168.2 192.168.66.4 UGSc 0 2 tun0
192.168.4 192.168.66.2 UGSc 0 3 tun1
192.168.66.1 lo0 UHS 0 0 lo0
192.168.66.2 192.168.66.1 UH 1 92 tun1
192.168.66.3 lo0 UHS 0 0 lo0
192.168.66.4 192.168.66.3 UH 1 197 tun0
192.168.66.7 lo0 UHS 0 0 lo0
192.168.66.8 192.168.66.7 UH 1 1371 tun2
192.168.66.11 lo0 UHS 0 0 lo0
192.168.66.12 192.168.66.11 UH 1 325 tun3
Other than those messages, the VPN is working perfectly fine, but I hate
having error messages I don't understand accumulating in the logs.
I'll be glad to provide more info if needed, but the rest of the config is
what you would except it to be I think. (whatever that could mean :P )
Thank you in advance for your help :)
--
OliNether
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010826133509.A1321>