Date: Mon, 18 Sep 2000 15:06:37 -0700 (PDT) From: Benjamin Gavin <virtual_olympus@yahoo.com> To: Konan Houphoue <bahobab@hotmail.com>, freebsd-net@freebsd.org Subject: Re: Port 80 redirect: Good news!! Message-ID: <20000918220637.14089.qmail@web314.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hi,
Actually you are halfway there. You want to make sure to deny setup to
your internal network so noone can use your firewall as a router to your
internal net. What you can do is add the following line to your
rc.firewall right before the "deny all setup" statement:
+++ # Allow traffic to internal web server
+++ $(fwcmd) add allow tcp from any to 192.168.1.40 80
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
...
This could probably be secured a little tighter than this, but this line
should do the trick. The thing you have to remember is that the rules get
run through again after the NATD call, and I am not completely convinced
that the packets get injected back into the stream where they should.
Here's what I think is happening:
$oip = outside IP of firewall
$oif = outside interface of firewall
$iip = inside IP of firewall
$iif = inside interface of firewall
$iis = inside address of IIS
request:
packet (192.88.0.1:2345 ==> $oip:80) via $oif --> NATD --> ($iip:2345 ==>
$iis:80) via $oif --> (out to internal server)
response:
packet ($iis:80 ==> $iip:2345) via $iif --> NATD --> ($oip:2345 ==>
192.88.0.1:2345) via $iif --> (back to client)
It would seem to me that it should look like this:
request:
packet (192.88.0.1:2345 ==> $oip:80) via $oif --> NATD --> ($iip:2345 ==>
$iis:80) via $iif --> (out to internal server)
response:
packet ($iis:80 ==> $iip:2345) via $iif --> NATD --> ($oip:2345 ==>
192.88.0.1:2345) via $oif --> (back to client)
Is this how it really works?? It seems that the packets are injected
back into the stream, but the interface associations are not changed for
the second run through ipfw. If my first guess is correct, can someone
please explain the rationale behind this?? I'm not slamming anyone, I've
just been genuinely confused about this for some time...
Sorry for the extra question housed as an answer :), the good news is that
the rule I talked about at the begining should fix your problem.
Ben
--- Konan Houphoue <bahobab@hotmail.com> wrote:
> A little reminder.
> The issue was that I'm trying to redirect all tcp/port 80 requests that
> arrive on the outside interface of my firewall to an IIS server that
> resides
> on my internal private network.
<snip>
__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000918220637.14089.qmail>