Date: Tue, 1 Aug 2000 01:17:09 +0200 From: Shaun Jurrens <shaun@shamz.net> To: net@FreeBSD.ORG Subject: connections via natd dying in natd Message-ID: <20000801011709.B4159@dakota.priv.shamz.net>
next in thread | raw e-mail | index | archive | help
Hi all,
I have been struggling with this problem for a number of months, actually. I
had it using 3-STABLE boxes and now with one 4-STABLE through the 3(.5)-STABLE
natd gateway, the same problem occurs. The problem: connections via natd
suddenly drop and similtaneously, I get errors on the console for the gateway
box that natd has "failed to write the packet back (Permission denied)". This
is almost exclusively with ssh connections (mostly because they are the most
constant long time connections I have to notice this behavior)
I have searched the lists and done the arp -s to set a permanent arp setting on
all interfaces. I am also on a cable modem (chello). Even stranger, if I don't
wait for the session to time out and kill the xterm, the connection stays up on
the foreign host for _days_ (there are currently zombie sessions alive that are
more than a week old). I do _not_ have the same behavior if I log to/from the
gateway box to/from a foreign host. I find this more than a little disturbing.
Well, down to the OS specifics:
FreeBSD johnny 3.5-STABLE FreeBSD 3.5-STABLE #0: Sat Jun 24 23:35:28 CEST 2000
natd_flags="-f /etc/natd.conf"
/etc/natd.conf
log yes
unregistered_only yes
use_sockets yes
dynamic yes
interface xl0
some relevant sysctl's:
net.inet.ip.fw.enable: 1
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.debug: 1
net.inet.ip.fw.verbose: 1
net.inet.ip.fw.verbose_limit: 100
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 230
net.inet.ip.fw.dyn_max: 1000
net.inet.ip.fw.dyn_ack_lifetime: 1320
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 20
net.inet.ip.fw.dyn_rst_lifetime: 5
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.tcp.rfc1323: 1
net.inet.tcp.rfc1644: 0
net.inet.tcp.mssdflt: 512
net.inet.tcp.rttdflt: 3
net.inet.tcp.keepidle: 1200
net.inet.tcp.keepintvl: 150
net.inet.tcp.sendspace: 16384
net.inet.tcp.recvspace: 16384
net.inet.tcp.keepinit: 150
net.inet.tcp.log_in_vain: 1
net.inet.tcp.delayed_ack: 1
net.inet.tcp.restrict_rst: 1
net.inet.tcp.pcbcount: 23
net.inet.tcp.always_keepalive: 1
An additional and perhaps related problem is one with passive ftp. I should
probably take an entire mail for it alone, but suffice it to say, active ftp
works if I open the ports, but passive ftp causes the same failed packet errors.
I know how passive ftp works and if I open ports from > 1024 to those (at least
for fbsd ftpd's) on the server 49152-65535, I should be able to initiate a data
channel. Well, I have had no success. The rule that I propose should work, looks
like this:
$fwcmd add 10202 allow tcp from ${intnet}:${intmask} 1025-65535 to any 49152-65535
setup keep-state (wrapped here with <CR>)
I've tried to tcpdump the connections, but it's a little difficult to watch so
many things at the same time: natd aliases, two tcpdumps, and fw rules. I don't
see anything hitting a rule either. The first problem is more aggrevating. The
second one I have a awkward hack for. Guess I could use some suggestions from
people more knowledgeable than I....
A final plea as long as I'm begging anyway: Could someone fix the mailing list
search engine? If I can help with it let me know. I use it often, and it is a
constant source of frustration, because it is so broken.
I'd appreciate a CC as well, because I prefer to track the lists via web.
Thanks in advance for any assistance.
--
Yours truly,
Shaun D. Jurrens
shaun@shamz.net
shamz@freenix.no
IRCNET nick: shamz #chillout #unix #FreeBSD
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000801011709.B4159>