Wietse Venema: > Noel Jones: > > With postfix-2.9-RC2 on FreeBSD 8.1 > > > > I assume the "Operation not permitted" message is an artifact of > > writing to a disconnected socket or such and nothing to worry > > about? Only happens on a small percentage of connections rejected > > by postscreen. > > > Network writes can fail for all kinds of reasons, and therefore > postscreen reports only unusual errors. EPERM After writing to a > socket is unusual, because UNIX systems don't change read/write > permissions *after* a file handle is created.
Apparently, FreeBSD packet filters can return an EPERM error when a packet does not match a valid state. Citing from http://osdir.com/ml/freebsd-bugs/2006-04/msg00309.html: One explanation why you'd see EPERM is that in FreeBSD, the pfil wrapper simply returns pf_test()'s return value. This is either PF_PASS (0) or PF_DROP (1), and 1 is also the value of EPERM, by coincidence. On OpenBSD and NetBSD, the return value PF_DROP of pf_test() is mapped to errno 65 EHOSTUNREACH, as that is one existing errno that most network related syscalls that can now additionally fail due to pf blocking can return otherwise already (according to their individual man pages). So that could explain the EPERM (which has errno of 1). Wietse
