Date: Mon, 18 Sep 2000 10:00:42 CDT From: "Konan Houphoue" <bahobab@hotmail.com> To: ari@suutari.iki.fi, cjclark@alum.mit.edu, marcs@draenor.org, archie@whistle.com, freebsd-net@freebsd.org Subject: Port 80 redirect: Good news!! Message-ID: <F135rByg67HF4x0Hgx10000d75b@hotmail.com>
next in thread | raw e-mail | index | archive | help
Thanks to all of you who tried to help me with this problem.
And I with Ari about the rules a the begining of /etc/rc.firewall
A little reminder.
The issue was that I'm trying to redirect all tcp/port 80 requests that
arrive on the outside interface of my firewall to an IIS server that resides
on my internal private network.
Before the idea to redirect port 80, my web pages were served by Apache 1.3
on the firewall server, and everything was working just fine.
So I was advided to use the "-redirect_port proto targetIP:port port" flag
in /etc/rc.conf:
firewall_enable="YES"
firewall_type="simple"
natd_flags="-redirect_port tcp 192.168.1.40:80 80"
But the port forwarding rule was not working.
Howerver, with firewall_type="open", the forwarding works.
I tried all the sugestions I recieved but the forwarding always fails if
firewall_type="simple".
Then I went on to comment out the rules one by one.
Here'e the rule in the "simple" section of /etc/rc.firewall that's blocking
the forwarding:
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
When this rule is commented, everything works well.
Now could you tell me whether doing so opens a security breach?
Here's the "simple" section of /etc/rc.firewall:
[Ss][Ii][Mm][Pp][Ll][Ee])
############
# This is a prototype setup for a simple firewall. Configure this
# machine as a named server and ntp server, and point all the machines
# on the inside at this machine for those services.
############
# set these to your outside interface network and netmask and ip
oif="fxp0"
onet="207.208.254.0"
omask="255.255.255.0"
oip="207.208.254.234"
# set these to your inside interface network and netmask and ip
iif="xl0"
inet="192.168.1.0"
imask="255.255.255.0"
iip="192.168.1.2"
#/sbin/ipfw add divert natd all from any to any via oif
# Stop draft-manning-dsua-01.txt nets on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 setup
#My rules
#${fwcmd} add pass tcp from ${oip} to ${inet}:${imask} 80 in via ${iip}
setup
#${fwcmd} add pass tcp from ${oif} to any in via ${iif} setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from any 53 to ${oip}
${fwcmd} add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
${fwcmd} add pass udp from any 123 to ${oip}
${fwcmd} add pass udp from ${oip} to any 123
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
Thanks a lot,
Konan
----Original Message Follows----
From: "Ari Suutari" <ari@suutari.iki.fi>
To: "Konan Houphoue" <bahobab@hotmail.com>
Subject: Re: Port 80 redirect
Date: Mon, 18 Sep 2000 09:05:15 +0300
MIME-Version: 1.0
Received: from [213.28.98.4] by hotmail.com (3.2) with ESMTP id
MHotMailBB8EFB9D00BFD821EECED51C620412570; Sun Sep 17 23:05:19 2000
Received: from coffee (adsl-nat.syncrontech.com [213.28.98.3])by
osku.suutari.iki.fi (8.9.3/8.9.3) with SMTP id JAA85067for
<bahobab@hotmail.com>; Mon, 18 Sep 2000 09:05:16 +0300 (EEST)(envelope-from
ari@suutari.iki.fi)
From ari@suutari.iki.fi Sun Sep 17 23:08:46 2000
Message-ID: <004501c02136$6a9627f0$0e05a8c0@intranet.syncrontech.com>
References: <F80cnVRJcKTJ461mgNP0000bce3@hotmail.com>
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
Hi,
Your rc.firewall doesn't look good. First, I wouldn't add rules
as you have done to beginning of it - it won't work since
the variables you are referring (fwcmd, inet etc...) are not yet
defined at that point.
Better way might be to choose a most suitable from
provided choices, I think the "simple" might work for you.
So, set firewall_type to "simple" in /etc/rc.conf and
edit that part in /etc/rc.firewall to match your needs.
There is also one catch: You shoudn't have
lines like
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
since these rules forbid any traffic to your internal network.
Ari S.
----- Original Message -----
From: "Konan Houphoue" <bahobab@hotmail.com>
To: <ari@suutari.iki.fi>
Sent: 15. syyskuuta 2000 17:17
Subject: Re: Port 80 redirect
> Ari,
>
> There's something new:
>
> Setting the firewall_type="open"
> works well.
> but if it is set to "simple" or "client"
> the port forwarding fails.
> So, some rules in the firewall are causing the problems.
>
> Attached ar my configuration files:
>
> Thanks
>
>
> ----Original Message Follows----
> From: "Ari Suutari" <ari@suutari.iki.fi>
> To: "Konan Houphoue" <bahobab@hotmail.com>
> Subject: Re: Port 80 redirect
> Date: Fri, 15 Sep 2000 08:39:30 +0300
> MIME-Version: 1.0
> Received: from [213.28.98.4] by hotmail.com (3.2) with ESMTP id
> MHotMailBB8B0115006CD821EEE4D51C620411AE0; Thu Sep 14 22:39:34 2000
> Received: from coffee (adsl-nat.syncrontech.com [213.28.98.3])by
> osku.suutari.iki.fi (8.9.3/8.9.3) with SMTP id IAA74360for
> <bahobab@hotmail.com>; Fri, 15 Sep 2000 08:39:31 +0300
(EEST)(envelope-from
> ari@suutari.iki.fi)
> >From ari@suutari.iki.fi Thu Sep 14 22:40:00 2000
> Message-ID: <00bf01c01ed7$529fa510$0e05a8c0@intranet.syncrontech.com>
> References: <F13tDN6LCDs8r1v87pI0000f542@hotmail.com>
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 5.00.2919.6600
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
>
> Hi,
> >
> > >>Set firewall_type="open an did not help.
> > gateway_enable="yes" already existed
> > defaultrouter="207.208.254.1" #that's on the ISP side
> >
> > Should I specify a router to the IIS machine?
> >
>
> The default gateway on IIS machine should be
> the address of your natd box.
>
>
> Ari S.
>
>
>
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
> Share information about yourself, create your own public profile at
> http://profiles.msn.com.
>
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F135rByg67HF4x0Hgx10000d75b>