freebsd-questions wrote:
Hello all,
I have been struggling for the last months now to run a webserver behind
a firewall.
I have installed apache 2 on a Opendarwin G4 machine hebind a FreeBSD 6
firewall/nat box:
internet ]-----[ outside IP ] modem [ 192.168.1.1 ]-----[ nge0:
192.168.1.40 ] FreeBSD 6.0 : natd, ipfw [ fxp0: 10.31.21.1 ]-----[ en0:
10.31.21.2 ] OpenDarwin webserver
When I run apache from the firewall people can connect.
Tcpdump on en0, fxp0 both show the right incoming and outgoing traffic
on the webserver as expected.
It also shows that incoming traffic on the firewall on port 80 is
succesfully translated to to the firewall's IP.
I can access the website from the LAN (from the firewall itself and
going through the firewall via not shown nge1 10.31.20.1)
Does tcpdump show the web server returning packets to the firewall?
That is, are you barking at ipfw/natd when the problem is the web
server's idea of proper routing for addresses outside the firewall?
If the web server gets requests from the firewall and also returns
them properly, add verbose logging to every ipfw rule so you can see
exactly where they get clobbered.
I am clearly missing something here in the way the respond from the
webserver should be sent back to the internet requests.
If I only knew what...
I have tried adding lines like:
ipfw 3 add divert 8668 all from any to any 80
I don't think that is what you want.
I even tried running a second natd and diverting all traffic on port 80
through it without any result.
Nor that.
I am out of ideas now...
Goole-ing for a month lead me to instructions how to run ipfw OR natd, i
couldn't find one that combinse the two.
man natd
more /etc/rc.firewall
(the stock rc.firewall, not one you've heavily experimented on)
It should be pretty simple to make them work together. Perhaps
you're trying to make it more complicated than it is?
Simply divert to natd at an appropriate place in your ipfw rule set.
Note how the example rules in the stock rc.firewall do RFC 1918
spoof checks before and after the divert, then get into what kinds
of non-spoofed connections are permitted or denied.
Can anyone help me setup nat and ipfw so that the webserver is able to
respond to incoming http requests?
Many thanks in advance,
Arno
HARDWARE:
internet ]-----[ outside IP ] modem [ 192.168.1.1 ]-----[ nge0:
192.168.1.40 ] FreeBSD 6.0 : natd, ipfw [ fxp0: 10.31.21.1 ]-----[ en0:
10.31.21.2 ] OpenDarwin webserver
GREP NAT /ETC/RC.CONF:
natd_program="/sbin/natd" # path to natd, if you want a different
one.
natd_enable="YES" # Enable natd (if firewall_enable == YES).
natd_interface="nge0" # Public interface or IPaddress to use.
natd_flags="-f /etc/natd.conf" # Additional flags for natd.
/ETC/NATD.CONF:
unregistered_only yes
use_sockets yes
same_ports yes
dynamic yes
### Forward all incoming http access to Webserver
redirect_port tcp 10.31.21.2:80 80
redirect_port tcp 192.168.1.40:80 10.31.21.2:80
My working gateway's natd.conf uses only one redirect:
redirect_port real.web.server.IP:80 80
Is the second redirect above part of your problem? Seems odd.
Sorry, I haven't time to offer any specific advice on your ipfw
rules except to suggest that liberal use of logging can help you
isolate any bad assumptions really quickly, especially if you are
able to test in a controlled lab environment so there isn't a lot of
noise.
--
Greg Barniskis, Computer Systems Integrator
South Central Library System (SCLS)
Library Interchange Network (LINK)
<gregb at scls.lib.wi.us>, (608) 266-6348
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
