Date: Tue, 27 Oct 98 15:58:00 -0600 From: Carol Lyn Deihl <carol@tinker.com> To: Can Altineller <altine@ee.fit.edu> Cc: mobile@FreeBSD.ORG Subject: Re: ipfw and httpd. Message-ID: <9810272158.AA07031@localhost> References: <Pine.BSF.4.05.9810260405000.594-100000@seraglio.xochi.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Can Altineller wrote:
> in my rc.firewall I have
>
>$fwcmd add pass tcp from any to ${ip} 80 setup
>
> just as I have for port 22, 23, which work fine. However; when I
>telnet to myhost:80 from an external host; the myhost:80 does not respond
>at all. I've tcpdumped such an interaction and figured out that it does
>not syn back, other words, it does not connect at all. I've tried various
>other commands such as: ipdw add pass tcp from myip 80 to any setup ; and
>that does not seem to be working.
The rule you mentioned allows only the first packet
from a client to reach your web server, but you will need
additional rules for the rest of the packets from the
client, and for the reply packets from your server back
to the client.
I'd suggest rules like the following:
$fwcmd add pass tcp from any to ${ip} 80 in
$fwcmd add pass tcp from ${ip} 80 to any out established
The first rule lets clients send packets "in" to your
server. The second rule lets your server send
reply packets ("established") back "out" to the clients.
You may already have a rule near the end of your set
something like this:
$fwcmd add pass tcp from ${ip} to any out established
Since this rule allows replies to all established
connections, you won't need the second rule above.
Carol Deihl
--
carol@tinker.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-mobile" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9810272158.AA07031>