Date: Fri, 19 Jan 2001 08:06:34 -0500 From: Bill Moran <wmoran@mail.iowna.com> To: cjclark@alum.mit.edu Cc: questions@FreeBSD.ORG Subject: Re: SOLVED (Re: natd & failed to write packet back) Message-ID: <3A683BD9.C7F0F881@mail.iowna.com> References: <3A63C754.AEA088A@mail.iowna.com> <001b01c07fd2$d9dd69c0$6100000a@vladsempire.net> <3A67CC45.931BC1C4@mail.iowna.com> <20010118232412.E66998@rfx-216-196-73-168.users.reflex>
next in thread | previous in thread | raw e-mail | index | archive | help
"Crist J. Clark" wrote:
> > In this case, the firewall/proxy/nat machine is also running
> > smtp/pop3/nfs/http/dns. In tweaking the firewall rules to allow what I
> > wanted to allow, and disallow what I didn't, I somehow got a loop
> > started.
>
> Loop? I don't think there was a loop.
Alright, technically it wasn't a loop ... but it sure seemed like a loop
at the time. It was ... and unnecessary detour.
> > Overall, I'm not sure how to explain -but here's what I found:
> > A lot of machines on the internal net were sending out a lot of SNMP
> > traffic. This firewall doesn't do SNMP, but the internal inteface was
> > basically set up to accept everything.
> > Now for some reason, when SNMP messages came in, they were being
> > translated (through nat) to the IP of the second interface,
>
> Because the destination address was outside the firewall?
No, the destination address was IP on the private side. Kind of odd that
it was translating it. I'm still trying to figure out exactly what I had
goin on.
> > which would
> > then reply that the port wasn't available.
>
> Hmmm... You were getting ICMP port unreachables? Are you sure?
Yep, because port 161 WAS unavailable. It was disabled.
> > But nat would turn this into
> > "failed to write packet back (permission denyed)"
>
> If the SNMP packets were going through natd on the outer interface and
> then being blocked by the firewall, that is the expected message.
Yup, make perfect sense once I finally figured out what was occurring.
> > So I put this rule near the beginning:
> >
> > add allow ip from ${inet}:${imask} to ${iip} via ${iif}
>
> Now you can't connect to the Internet from your internal machines?
> That is a fix? Or do you have some other rules to pass traffic to the
> Internet?
No, it works fine. Why would it block the internal machines from the
internet? Packets specifically destined for the firewall arrive there
with no extra translation/routing occurring. Packets destine to leave
the subnet arrive at the firewall with a destination IP outside the
subnet, skip this rule and are translated by a divert rule further down
the ruleset and head out onto the `net.
-Bill
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A683BD9.C7F0F881>