Date: Mon, 19 Sep 2005 17:26:42 +0200 From: jonas <jonas.de.buhr@gmx.net> To: freebsd-questions@freebsd.org Subject: problem with IPF rules - port 80 not accessible Message-ID: <20050919172642.45408cf9@localhost>
next in thread | raw e-mail | index | archive | help
hi! i feel kind of stupid about this :( ... i'm using a freebsd gateway to manage my internet connection, which is also running a httpd to provide a small website and (in the future ;) ) some system manegement,statistics etc. the httpd is not accessible from the internet and i don't understant why, i probably made some stupid mistake in the firewall rules... this is the first time i'm setting up a firewall from scratch. i'm running: FreeBSD router.dbnet 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #0: Fri Sep 16 14:36:20 CEST 2005 root@router.dbnet:/usr/obj/usr/ src/sys/GENERIC i386 lighttpd-1.4.3 (ssl) - a light and fast webserver Build-Date: Sep 17 2005 00:50:23 ipf: IP Filter: v3.4.35 (336) Kernel: IP Filter: v3.4.35 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0 i use mpd to establish a pptp-tunnel to my university network (which routes my traffic to the internet). my mpd version is 3.18. routing table: Internet: Destination Gateway Flags Refs Use Netif Expire default 128.176.239.193 UGS 0 46442 ng0 127.0.0.1 127.0.0.1 UH 1 2687 lo0 128.176.151.169 lo0 UHS 0 0 lo0 128.176.239.193 128.176.151.169 UH 1 0 ng0 172.16.0.1 172.16.192.2 UGHS 0 42599 rl1 172.16.192/21 link#2 UC 0 0 rl1 172.16.192.2 00:08:7d:e0:98:70 UHLW 1 0 rl1 1015 172.16.196.233 127.0.0.1 UGHS 0 0 lo0 192.168.0 link#1 UC 0 0 rl0 192.168.0.1 00:50:fc:5f:c9:ba UHLW 0 2 lo0 192.168.0.2 00:00:f0:81:f1:75 UHLW 0 44640 rl0 841 (any errors in it? outbound internet acces works fine) my IPF-rules: @1 pass out log quick on ng0 from any to any keep state @2 pass out log quick on rl1 from any to 172.16.0.1/32 keep state @3 block out log quick on rl1 from any to any @1 pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 port = 80 @2 pass in log quick on ng0 proto tcp from any to 192.168.0.1/32 port = 443 @3 pass in log quick on ng0 proto tcp from any to 192.168.0.1/32 port = 22 @4 pass in log quick on ng0 proto udp from any to 192.168.0.1/32 port = 22 @5 block in log quick on ng0 proto tcp from any to any port = 111 @6 block in log quick on ng0 from any to any @7 pass in log quick on rl1 from 172.16.0.1/32 to 172.16.0.0/16 @8 block in log quick on rl1 from any to any where rl0 is the LAN interface, rl1 is connected to a DSL-modem, ng0 is the tunnel interface mpd creates, 192.168.0.1 is the IP of my freebsd gateway and 172.16.0.1 is the IP of the PPTP-server (a cisco device i think). i can access the webserver from an ssh login to a university computer, but other people tell me, they can't connect to the httpd. in the logs i can see that their packets to port 80 are passed, but they don't seem to get any data back. i'm confused... what am i doing wrong? btw. you may notice the explicitly closed port 111, this is probably not necessary because of rule @7, and i'm aware that it's idiotic to run NFS on a gateway machine. let's not discuss that :) (i don't plan to leave it on for 'production' use of that machine, but it's holding some stuff i don't have space to put anyware else at the moment.) thanks, jonas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050919172642.45408cf9>