Re: Firewall/Web server difficulties
Brian Bobowski wrote: Norberto Meijome wrote: Brian Bobowski wrote: I'm poking at that now, yes. I had difficulty getting it to work with virtual hosts... but I can at least reference it by the private-side IP address and get places. assuming you are using Apache, you can use * for Ip address and let it be name-based virt host. Already running thus. DNS seems to be the problem, then. (Which I'll poke at later assuming hosting alternatives don't work out.) (sorry for the delay in replying) One thing you want to make sure you have off is the reverse dns lookup setting in your httpd.conf - it's rather useless and it will add a dependency on DNS to your web services. WAN. People have tried pinging and browsing, with no success. then I would review the rules... Relevant rules text(and based on both startup text and behaviour of the firewall for other tasks, I know the rules file is being parsed) excerpted below: for proper diagnosing, it'd be better to have the whole thing :) hopefully it's already fixed... --- cmd=ipfw -q add pif=rl0 #Interface which opens to the WAN; NAT interface Is your NAT properly configured? prif=ed0 #LAN interface, private-side ks=keep-state # More stuff here... $cmd 400 allow udp from 24.226.1.121 to me 68 in via $pif # DHCP server $cmd 401 allow tcp from any to me 80 in via $pif # Apache $cmd 402 allow tcp from any to me 22 in via $pif # SSH $cmd 403 allow icmp from any to me in via $pif # For testing; low-traffic, not worried about ping floods at this time --- The firewall's DHCP requests are working fine, so #400 is working properly. ok Other machines, however, cannot see it. what do you mean by this? the fact that #400 is working doesnt mean that #401 will :) (there's nothing particularly wrong with #401..just saying you are making the wrong assumption) That's one problem. The other is DNS. I'm still looking through the named.conf file and poking at the settings given for a secondary server... all I really want is a caching server that will first look at my own /etc/hosts file (where the domain names which refer to this machine are specified by their private-facing address). hmm .. why would named.conf look into /etc/hosts ? If this is your main DNS server for your zone, then make sure that it's properly delegated, that all the relevant hosts are defined IN YOUR BIND config , (well, /etc/hosts can't hurt, but you are just adding extra variables that can muddle things up). There's lots of good docs on BIND out there. If you want a rather easy UI, why not install webmin from the ports? good luck, Beto ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewall/Web server difficulties
All right. I've got my firewall up and running, and my workstation can get almost anywhere it needs to just fine. The lone exception being the web server located on the firewall machine itself. I can access it by directly referencing the private-interface IP, but if my workstation tries to get to the public-interface IP, nothing happens. Can't even ping it. ICMP and port 80 TCP should both be allowed from anywhere... but they're not getting through. (So far as I can tell, it's not just me who's unable to access these.) Does NAT simply not allow for servers to be running on the machine that performs it? I know it's not ideal, but I don't have the room to install another machine even if that were in my budget. I've set up NAT and IPFW per the directions in the handbook, and aside from that one difficulty, everything seems to be working. Please reply off the list. Thanks in advance, -BB ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall/Web server difficulties
Brian Bobowski wrote: All right. I've got my firewall up and running, and my workstation can get almost anywhere it needs to just fine. you dont' say if you are using ipfw, ipf , pf I can access it by directly referencing the private-interface IP, but if my workstation tries to get to the public-interface IP, nothing happens. Can't even ping it. ICMP and port 80 TCP should both be allowed from anywhere... but they're not getting through. (Assuming all your rules are ok...) AFAIK, you can't access the external interface of a NAT'ed system from the LAN side. Simply use a DNS inside that resolves the name you try to access to the internal interface instead of the external. this is FAQ, i think... (So far as I can tell, it's not just me who's unable to access these.) meaning others in your LAN? or others in the WAN? Does NAT simply not allow for servers to be running on the machine that performs it? I know it's not ideal, but I don't have the room to install another machine even if that were in my budget. I've set up NAT and IPFW per the directions in the handbook, and aside from that one difficulty, everything seems to be working. Please reply off the list. CCing the list for the benefit of everyone else :) Beto ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall/Web server difficulties
Norberto Meijome wrote: Brian Bobowski wrote: All right. I've got my firewall up and running, and my workstation can get almost anywhere it needs to just fine. you dont' say if you are using ipfw, ipf , pf Sure I do. IPFW; mentioned lower down. I can access it by directly referencing the private-interface IP, but if my workstation tries to get to the public-interface IP, nothing happens. Can't even ping it. ICMP and port 80 TCP should both be allowed from anywhere... but they're not getting through. (Assuming all your rules are ok...) AFAIK, you can't access the external interface of a NAT'ed system from the LAN side. Simply use a DNS inside that resolves the name you try to access to the internal interface instead of the external. this is FAQ, i think... I'm poking at that now, yes. I had difficulty getting it to work with virtual hosts... but I can at least reference it by the private-side IP address and get places. (So far as I can tell, it's not just me who's unable to access these.) meaning others in your LAN? or others in the WAN? WAN. People have tried pinging and browsing, with no success. Does NAT simply not allow for servers to be running on the machine that performs it? I know it's not ideal, but I don't have the room to install another machine even if that were in my budget. I've set up NAT and IPFW per the directions in the handbook, and aside from that one difficulty, everything seems to be working. Please reply off the list. CCing the list for the benefit of everyone else :) Beto Hope the clarifications help, -BB ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall/Web server difficulties
Brian Bobowski wrote: Norberto Meijome wrote: Brian Bobowski wrote: All right. I've got my firewall up and running, and my workstation can get almost anywhere it needs to just fine. you dont' say if you are using ipfw, ipf , pf Sure I do. IPFW; mentioned lower down. sorry my bad I can access it by directly referencing the private-interface IP, but if my workstation tries to get to the public-interface IP, nothing happens. Can't even ping it. ICMP and port 80 TCP should both be allowed from anywhere... but they're not getting through. (Assuming all your rules are ok...) AFAIK, you can't access the external interface of a NAT'ed system from the LAN side. Simply use a DNS inside that resolves the name you try to access to the internal interface instead of the external. this is FAQ, i think... I'm poking at that now, yes. I had difficulty getting it to work with virtual hosts... but I can at least reference it by the private-side IP address and get places. assuming you are using Apache, you can use * for Ip address and let it be name-based virt host. (So far as I can tell, it's not just me who's unable to access these.) meaning others in your LAN? or others in the WAN? WAN. People have tried pinging and browsing, with no success. then I would review the rules... good luck B ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall/Web server difficulties
Norberto Meijome wrote: Brian Bobowski wrote: I'm poking at that now, yes. I had difficulty getting it to work with virtual hosts... but I can at least reference it by the private-side IP address and get places. assuming you are using Apache, you can use * for Ip address and let it be name-based virt host. Already running thus. DNS seems to be the problem, then. (Which I'll poke at later assuming hosting alternatives don't work out.) WAN. People have tried pinging and browsing, with no success. then I would review the rules... Relevant rules text(and based on both startup text and behaviour of the firewall for other tasks, I know the rules file is being parsed) excerpted below: --- cmd=ipfw -q add pif=rl0 #Interface which opens to the WAN; NAT interface prif=ed0 #LAN interface, private-side ks=keep-state # More stuff here... $cmd 400 allow udp from 24.226.1.121 to me 68 in via $pif # DHCP server $cmd 401 allow tcp from any to me 80 in via $pif # Apache $cmd 402 allow tcp from any to me 22 in via $pif # SSH $cmd 403 allow icmp from any to me in via $pif # For testing; low-traffic, not worried about ping floods at this time --- The firewall's DHCP requests are working fine, so #400 is working properly. Other machines, however, cannot see it. These firewall rules are essentially a slightly-modified copy of the first example NAT ruleset in the handbook's IPFW section. The modifications consist of extending the 'good-tcpo' variable to a few more ports I want to use, putting more entries for my ISP's DNS servers, adding DHCP outbound and inbound permission 967 and 68) like the second example has, and adding port 22 and ICMP in the above set. That's one problem. The other is DNS. I'm still looking through the named.conf file and poking at the settings given for a secondary server... all I really want is a caching server that will first look at my own /etc/hosts file (where the domain names which refer to this machine are specified by their private-facing address). Any assistance, as always, appreciated. Especially with the first problem. (Off-list as I can't keep up with the volume of list delivery.) -BB ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
