natd firewall machine freezing

natd firewall machine freezing

Post by davi » Sat, 19 Dec 1998 04:00:00



Hi,

I have a firewall machine running FreeBSD 2.2.7, 32MB Ram, 2 ethernet
cards (ed0, ed1), natd 1.11 (or maybe 1.12, I can't remember how to
check) and BIND 8.  For some reason, it freezes when a machine on the
inside tries to ftp to anything outside the firewall.  This doesn't
happen all the time but every time I go to ftp or cvsup, I have to cross
my fingers.  Here's some details:

From /etc/rc.conf

    gateway_enable="YES"
    router_enable="YES"
    router="routed"
    router_flags="-q"
    natd_enable="YES"
    natd_interface="ed1"
    natd_flags="-config /etc/natd.cf"

From /etc/natd.cf

    log             yes
    deny_incoming   yes
    use_sockets     yes
    same_ports      yes
    #verbose                yes
    # Divert port. Can be a name in /etc/services or numeric value.
    #port           32000
    interface       ed1
    unregistered_only       no

From /etc/rc.firewall

     ############
    # This is a prototype setup for a simple firewall.  Configure this
machine
    # as a named server and ntp server, and point all the machines on
the inside
    # at this machine for those services.
    ############

    # set these to your outside interface network and netmask and ip
    oif="ed1"
    onet="www.xxx.yyy.0"
    omask="255.255.255.0"
    oip="www.xxx.yyy.zzz"

    # set these to your inside interface network and netmask and ip
    iif="ed0"
    inet="192.168.1.0"
    imask="255.255.255.0"
    iip="192.168.1.1"

    # Stop spoofing
    $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
    $fwcmd add allow all from ${inet}:${imask} to any
    $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
    $fwcmd add allow all from ${onet}:${omask} to any

    # Stop RFC1918 nets on the outside interface
    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
#  $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}

    # Allow TCP through if setup succeeded
    $fwcmd add pass tcp from any to any established

    # Allow incoming ftp data - its on a different port than control
    # data is on port 20, control on 21
    $fwcmd add pass tcp from any 20 to ${oip} setup

    # Allow access to our DNS
    $fwcmd add pass tcp from any to ${oip} 53 setup

    # Reject&Log all setup of incoming connections from the outside
    $fwcmd add deny log tcp from any to any in via ${oif} setup

    # Allow setup of any other TCP connection
    $fwcmd add pass tcp from any to any setup

    # Allow DNS queries out in the world
    $fwcmd add pass udp from any 53 to ${oip}
    $fwcmd add pass udp from ${oip} to any 53

    # Everything else is denied as default.

I also get mail in the morning from this machine and I always see
something like the following:

    Dec 17 02:00:17 <1.1> babel natd:   failed to write packet back (No
route to host)
    Dec 17 02:00:49 <1.1> babel last message repeated 11 times
    Dec 17 02:02:50 <1.1> babel last message repeated 89 times
    Dec 17 02:12:53 <1.1> babel last message repeated 126 times
    Dec 17 02:17:58 <1.1> babel last message repeated 128 times

At 2 AM, the firewall machine sends mail to my mailserver for me so
that's what is producing this message but why is the question.

Any help would be greatly appreciated

david