The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 Natd Failed to Write Packet back
Author: Mike 
Date:   04-07-00 09:59

Hi,

I am getting a constant error in Freebsd 4.0 with Natd .. goes like this:

natd[88]: failed to write packet back (host is down) . Static IP address and only happens when connected to the isp, change the IP address and run it locally as a gateway, no errors? Ran a packet trace and found nothing. Please help! I am on a cable modem...shut down all local machines on the lan and still got the problem. mesg n works well, but does not solve the issue:) If I unplug from the cable modem, I do not get the error. I disabled all services that may need a connection. Arp -a shows one (incomplete) [ethernet] error on a broadcast address. My ISP blocks me from that address anyway...I am x.x.31.x/21 and I cannot talk to x.x.30.x/21 or x.x.29.x/21 for security reasons and the incomplete is on x.x.29.255. I would appreciate any help...yes, I have tried ipnat and IPF, but could not ping to the world from a workstation. That is a convenience that I would like to have.

Thanks,
Mike

Reply To This Message
 
 RE: Natd Failed to Write Packet back
Author: Dan Langille 
Date:   04-07-00 11:42

I'm sorry this is not helpful, but I see this problem so many times and I've never had an explanation for it. I hate to say it, but this is one of the reasons why I stick with ipf/ipnat. I've never had trouble setting that combintation up. Perhaps it's luck or just my experience with it.

If you couldn't ping the world from a workstation, it's your firewall rules. I can do. If you still want to give ipf a try, set it back up and I post the firewall rules dealing with icmp.

Reply To This Message
 
 RE: Natd Failed to Write Packet back
Author: Mike Haukoos 
Date:   04-07-00 22:44

Dan,

Thanks for replying! When I had IPF running, I set my ipf.rules to pass in all pass out all. I thought that would let me do anything. If not, please post the ICMP rules that will let me ping from my workstations to the world. I would really appreciate it!


Reply To This Message
 
 RE: Natd Failed to Write Packet back
Author: Dan Langille 
Date:   05-07-00 02:10

err, hold on, was ping the only thing that wasn't working? I suspect your NAT wasn't working. Could the workstations browse to the outside world?

see <a href="http://freebsddiary.org/natrules.html">http://freebsddiary.org/natrules.html</a>

Reply To This Message
 
 RE: Natd Failed to Write Packet back
Author: Mike Haukoos 
Date:   05-07-00 04:03

I was browsing everywhere and going all over the place. All that I could not do is ping from my workstations to the world...I could browse and everything else. A tracert would get to my IPNAT machine and trace no farther. Other than that, it was great! I followed the same link before I set it up and found it rather easy to get going...I was running IPF 3.4.6...perhaps it is that version that is the problem

Thanks Again,
Mike

Reply To This Message
 
 RE: Natd Failed to Write Packet back
Author: Dan Langille 
Date:   05-07-00 05:04

OK. If you had no firewall rules, and everything worked expect PING, I suggest giving it another try. Provide full details of your setup including IP addresses and interface names and show the firewall rules and nat rules to the ipfilter mailing list.

Reply To This Message
 
 RE: Natd Failed to Write Packet back
Author: Mike Haukoos 
Date:   05-07-00 08:37

Well Dan,

Redid IPFilter and put no rules in the ipf.rules file and lo and behold...everything works! Now it is time to build the firewall rules! Thanks for all of your help!

Mike Haukoos

Reply To This Message
 
 ipf/ipnat
Author: Dan Langille 
Date:   06-07-00 02:15

I think you'll find that ipf and ipnat will provide much less stress. Just remember: ipf is last match, not first match. And use those rule groups. It'll make things easier. With rule groups, your rules become a tree, not a linear list. With very large rule sets, this has much greater potential for speed.

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org