Date: Fri, 28 Sep 2001 09:26:19 -0700 From: Chip <chip@wiegand.org> To: freebsd-questions@FreeBSD.ORG Subject: natd permission denied on bootup Message-ID: <01092809261905.96094@chip.wiegand.org>
next in thread | raw e-mail | index | archive | help
I am setting up another machine to replace my currant firewall/natd box. I
have installed 4.4-release, recompiled the kernel for firewall & ipdivert,
set up the rc.firewall, natd.conf, rc.conf, resolv.conf files.
Both nics ping each other and other machines on the inside network, and
answer to pings from other machines inside the network.
When the machine boots up I get the following messages:
natd: failed to write packet back (permission denied)
routed: send bcast sendto(xl0): permission denied
starting final network daemons: firewall, routed: sendto(dc0): permission
denied.
Any ideas what's going one here? I have verified all the files with the
existing firewall box and it's been working fine for a couple years.
I have included the relevant files text below.
Here's a bit of my dmesg, unfortunately, it didn't go long enough to show the
errors (the ones mentioned above):
-------------------------------------
Copyright (c) 1992-2001 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988,
1989, 1991, 1992, 1993, 1994
The Regents of the University of California.
All rights reserved.
FreeBSD 4.4-RELEASE #0: Thu Sep 27 19:58:43 GMT 2001
root@firewall.wiegand.org:/usr/src/sys/compile/WIEGAND
<snipped>
xl0: <3Com 3c905B-TX Fast Etherlink XL> port 0xf400-0xf47f
mem 0xffadff80-0xffadffff irq 11 at device 9.0 on pci0
xl0: Ethernet address: 00:50:da:06:ef:1f
miibus0: <MII bus> on xl0
ukphy0: <Generic IEEE 802.3u media interface> on miibus0
ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
dc0: <LC82C115 PNIC II 10/100BaseTX> port 0xf600-0xf6ff
mem 0xffadfe00-0xffadfeff irq 10 at device 11.0 on pci0
dc0: Ethernet address: 00:a0:cc:e4:87:a5
miibus1: <MII bus> on dc0
dcphy0: <Intel 21143 NWAY media interface> on miibus1
dcphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
<snipped>
IP packet filtering initialized, divert enabled,
rule-based forwarding disabled,
default to deny, logging limited to 100 packets/entry by default
ad0: 3089MB <Maxtor 83249D3> [6278/16/63] at ata0-master UDMA33
(null): MODE_SENSE_BIG - UNIT ATTENTION asc=29 ascq=00 error=04
acd0: CDROM <CD-ROM CDU55E> at ata0-slave using PIO0
Mounting root from ufs:/dev/ad0s1a
-- -------------------------------------------
Here's ifconfig -a
---------------------------------------------
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::250:daff:fe06:ef1f%xl0 prefixlen 64 scopeid 0x1
ether 00:50:da:06:ef:1f
media: Ethernet autoselect (10baseT/UTP)
status: active
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 66.114.152.128 netmask 0xfffff800 broadcast 66.114.159.255
inet6 fe80::2a0:ccff:fee4:87a5%dc0 prefixlen 64 scopeid 0x2
ether 00:a0:cc:e4:87:a5
media: Ethernet autoselect (10baseT/UTP)
status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8000<MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 127.0.0.1 netmask 0xff000000
----------------------------------------------
Here's natd.conf
----------------------------------------------
use_sockets yes
port 8668
log
unregistered_only
redirect_port tcp 192.168.1.14:80 80
----------------------------------------------
Here's netstat -rn
----------------------------------------------
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 66.114.152.1 UGSc 5 53 dc0
66.114.152/21 link#2 UC 2 0 dc0
66.114.152.1 link#2 UHLW 3 0 dc0
66.114.159.255 ff:ff:ff:ff:ff:ff UHLWb 0 1 dc0
127.0.0.1 127.0.0.1 UH 0 0 lo0
192.168.1 link#1 UC 0 0 xl0
<inet6 stuff snipped>
----------------------------------------------
Here's rc.conf
----------------------------------------------
# -- sysinstall generated deltas -- # Tue Sep 25 22:38:43 2001
# Created: Tue Sep 25 22:38:43 2001
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
network_interfaces="xl0 dc0 lo0"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="open"
gateway_enable="YES"
natd_interface="dc0"
natd_enable="YES"
natd_flags="-f /etc/natd.conf"
router_enable="YES"
defaultrouter="66.114.152.1"
hostname="firewall.wiegand.org"
ifconfig_xl0="inet 192.168.1.10 netmask 255.255.255.0"
ifconfig_dc0="inet 66.114.152.128 netmask 255.255.248.0"
moused_enable="YES"
moused_port="/dev/cuaa1"
moused_type="mouseman"
sendmail_enable="NO"
sshd_enable="YES"
------------------------------------------------
Here's rc.firewall
------------------------------------------------
# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
fwcmd="/sbin/ipfw"
# Outside nic
oif="dc0"
onet="66.114.152.0"
omask="255.255.255.128"
oip="66.114.152.128"
# Inside nic
iif="xl0"
inet="192.168.1.0"
imask="255.255.255.0"
iip="192.168.1.10"
# ISP's DNS numbers
dns1="207.115.64.222"
dns2="207.115.64.223"
${fwcmd} -f flush
# allow loopbacks, deny imposters
$[fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Natd
${fwcmd} add divert natd all from any to any via ${natd_interface}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from any to ${dns1} 53 keep-state
${fwcmd} add pass udp from any to ${dns2} 53 keep-state
${fwcmd} add pass udp from ${dns1} 53 to any
${fwcmd} add pass udp from ${dns2} 53 to any
# Allow local SMB traffic
${fwcmd} add pass udp from any to any 137-139 via ${iif}
# Allow inside machines to log to us
${fwcmd} add pass log udp from any to any 514 via ${iif}
# Allow outbound traceroute
${fwcmd} add pass udp from any to any 33434-33523 out via ${oif}
# Allow all icmp on internal
${fwcmd} add pass icmp from any to any via ${iif}
# Allow outbound pings
${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}
# Allow other icmp types
${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif}
# Deny all other icmp types
${fwcmd} add deny icmp from any to any
# Reject broadcasts from the oif
${fwcmd} add 63000 deny ip from any 0.0.0.255:0.0.0.255 in via ${oif}
# Reject and log smb connections from oif
${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif}
# Reject and log all other connections from oif
${fwcmd} add 65000 deny log ip from any to any via ${oif}
# Everything else is denied by default in the kernel WIEGAND
--------------------------------------------------
Thanks for your assistance,
--
Chip W.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01092809261905.96094>