Date: Mon, 18 Sep 2000 20:54:23 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Konan Houphoue <bahobab@hotmail.com> Cc: ari@suutari.iki.fi, marcs@draenor.org, archie@whistle.com, freebsd-net@freebsd.org Subject: Re: Port 80 redirect: Good news!! Message-ID: <20000918205423.E367@149.211.6.64.reflexcom.com> In-Reply-To: <F135rByg67HF4x0Hgx10000d75b@hotmail.com>; from bahobab@hotmail.com on Mon, Sep 18, 2000 at 10:00:42AM -0500 References: <F135rByg67HF4x0Hgx10000d75b@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 18, 2000 at 10:00:42AM -0500, Konan Houphoue wrote:
> Thanks to all of you who tried to help me with this problem.
> And I with Ari about the rules a the begining of /etc/rc.firewall
>
> A little reminder.
> The issue was that I'm trying to redirect all tcp/port 80 requests that
> arrive on the outside interface of my firewall to an IIS server that resides
> on my internal private network.
> Before the idea to redirect port 80, my web pages were served by Apache 1.3
> on the firewall server, and everything was working just fine.
>
> So I was advided to use the "-redirect_port proto targetIP:port port" flag
> in /etc/rc.conf:
>
> firewall_enable="YES"
> firewall_type="simple"
> natd_flags="-redirect_port tcp 192.168.1.40:80 80"
>
> But the port forwarding rule was not working.
> Howerver, with firewall_type="open", the forwarding works.
>
> I tried all the sugestions I recieved but the forwarding always fails if
> firewall_type="simple".
>
> Then I went on to comment out the rules one by one.
> Here'e the rule in the "simple" section of /etc/rc.firewall that's blocking
> the forwarding:
>
> # Reject&Log all setup of incoming connections from the outside
> ${fwcmd} add deny log tcp from any to any in via ${oif} setup
>
> When this rule is commented, everything works well.
>
> Now could you tell me whether doing so opens a security breach?
Yes. You pretty much might as well be using the 'open' configuration
if you comment that out. Like it says, that's rule that disallows
arbitrary incoming connections.
Now, let's see how to edit these rules.
[snip]
> # Allow access to our WWW
> ${fwcmd} add pass tcp from any to ${oip} 80 setup
This rule is useless since we redirect this traffic. You want,
${fwcmd} add pass tcp from any to ${internal_http} 80 in via ${oif} setup
> #My rules
> #${fwcmd} add pass tcp from ${oip} to ${inet}:${imask} 80 in via ${iip} setup
This rule seems strange. Pass traffic FROM the outer IP address to the
INTERNAL net that is coming IN the internal interface? I think s/in/out/?
> #${fwcmd} add pass tcp from ${oif} to any in via ${iif} setup
Again, huh? The previous rule is a subset of this rule, i.e. anything
that was passed in the previous rule would pass this one. The previous
rule is unnecessary.
Once you get this figured out, you can make it a stateful firewall
rather than having the 'pass established' rule. ;)
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000918205423.E367>