Webserver behind nat/ipfw
Hello all, I have been struggling for the last months now to run a webserver behind a firewall. I have installed apache 2 on a Opendarwin G4 machine hebind a FreeBSD 6 firewall/nat box: internet ]-[ outside IP ] modem [ 192.168.1.1 ]-[ nge0: 192.168.1.40 ] FreeBSD 6.0 : natd, ipfw [ fxp0: 10.31.21.1 ]- [ en0: 10.31.21.2 ] OpenDarwin webserver When I run apache from the firewall people can connect. Tcpdump on en0, fxp0 both show the right incoming and outgoing traffic on the webserver as expected. It also shows that incoming traffic on the firewall on port 80 is succesfully translated to to the firewall's IP. I can access the website from the LAN (from the firewall itself and going through the firewall via not shown nge1 10.31.20.1) I am clearly missing something here in the way the respond from the webserver should be sent back to the internet requests. If I only knew what... I have tried adding lines like: ipfw 3 add divert 8668 all from any to any 80 I even tried running a second natd and diverting all traffic on port 80 through it without any result. I am out of ideas now... Goole-ing for a month lead me to instructions how to run ipfw OR natd, i couldn't find one that combinse the two. Can anyone help me setup nat and ipfw so that the webserver is able to respond to incoming http requests? Many thanks in advance, Arno HARDWARE: internet ]-[ outside IP ] modem [ 192.168.1.1 ]-[ nge0: 192.168.1.40 ] FreeBSD 6.0 : natd, ipfw [ fxp0: 10.31.21.1 ]- [ en0: 10.31.21.2 ] OpenDarwin webserver GREP NAT /ETC/RC.CONF: natd_program=/sbin/natd # path to natd, if you want a different one. natd_enable=YES # Enable natd (if firewall_enable == YES). natd_interface=nge0 # Public interface or IPaddress to use. natd_flags=-f /etc/natd.conf # Additional flags for natd. /ETC/NATD.CONF: unregistered_only yes use_sockets yes same_ports yes dynamic yes ### Forward all incoming http access to Webserver redirect_port tcp 10.31.21.2:80 80 redirect_port tcp 192.168.1.40:80 10.31.21.2:80 /ETC/IPFW.CONF: #!/bin/sh Start of IPFW rules file ### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add skip=skipto 800 pif=nge0 # public interface name of NIC # facing the public Internet lif1=fxp0 # local web interface lif2=nge1 # local toxik interface dhcp=192.168.1.56 dns1=ISP_DNS1 dns2=ISP_DNS2 webserver=10.31.21.2 # # No restrictions on Inside LAN Interface for private network # $cmd 005 allow all from any to any via $lif1 $cmd 006 allow all from any to any via $lif2 # # No restrictions on Loopback Interface # $cmd 010 allow all from any to any via lo0 # # check if packet is inbound and nat address if it is # $cmd 014 divert natd ip from any to any in via $pif # # Allow the packet through if it has previous been added to the # the dynamic rules table by a allow keep-state statement. # $cmd 015 check-state # # Interface facing Public Internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public Internet. # # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip all from any to $dns1 53 out via $pif keep-state $cmd 021 $skip all from any to $dns2 53 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send get email function $cmd 060 $skip tcp from any to any 25,110,995 out via $pif setup keep- state # Allow out FreeBSD (make install CVSUP) functions # Basically give user root GOD privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out via $pif keep-state # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state # Allow out whois $cmd 120 $skip tcp from
Re: Webserver behind nat/ipfw
freebsd-questions wrote: Hello all, I have been struggling for the last months now to run a webserver behind a firewall. I have installed apache 2 on a Opendarwin G4 machine hebind a FreeBSD 6 firewall/nat box: internet ]-[ outside IP ] modem [ 192.168.1.1 ]-[ nge0: 192.168.1.40 ] FreeBSD 6.0 : natd, ipfw [ fxp0: 10.31.21.1 ]-[ en0: 10.31.21.2 ] OpenDarwin webserver When I run apache from the firewall people can connect. Tcpdump on en0, fxp0 both show the right incoming and outgoing traffic on the webserver as expected. It also shows that incoming traffic on the firewall on port 80 is succesfully translated to to the firewall's IP. I can access the website from the LAN (from the firewall itself and going through the firewall via not shown nge1 10.31.20.1) Does tcpdump show the web server returning packets to the firewall? That is, are you barking at ipfw/natd when the problem is the web server's idea of proper routing for addresses outside the firewall? If the web server gets requests from the firewall and also returns them properly, add verbose logging to every ipfw rule so you can see exactly where they get clobbered. I am clearly missing something here in the way the respond from the webserver should be sent back to the internet requests. If I only knew what... I have tried adding lines like: ipfw 3 add divert 8668 all from any to any 80 I don't think that is what you want. I even tried running a second natd and diverting all traffic on port 80 through it without any result. Nor that. I am out of ideas now... Goole-ing for a month lead me to instructions how to run ipfw OR natd, i couldn't find one that combinse the two. man natd more /etc/rc.firewall (the stock rc.firewall, not one you've heavily experimented on) It should be pretty simple to make them work together. Perhaps you're trying to make it more complicated than it is? Simply divert to natd at an appropriate place in your ipfw rule set. Note how the example rules in the stock rc.firewall do RFC 1918 spoof checks before and after the divert, then get into what kinds of non-spoofed connections are permitted or denied. Can anyone help me setup nat and ipfw so that the webserver is able to respond to incoming http requests? Many thanks in advance, Arno HARDWARE: internet ]-[ outside IP ] modem [ 192.168.1.1 ]-[ nge0: 192.168.1.40 ] FreeBSD 6.0 : natd, ipfw [ fxp0: 10.31.21.1 ]-[ en0: 10.31.21.2 ] OpenDarwin webserver GREP NAT /ETC/RC.CONF: natd_program=/sbin/natd # path to natd, if you want a different one. natd_enable=YES # Enable natd (if firewall_enable == YES). natd_interface=nge0 # Public interface or IPaddress to use. natd_flags=-f /etc/natd.conf # Additional flags for natd. /ETC/NATD.CONF: unregistered_only yes use_sockets yes same_ports yes dynamic yes ### Forward all incoming http access to Webserver redirect_port tcp 10.31.21.2:8080 redirect_port tcp 192.168.1.40:80 10.31.21.2:80 My working gateway's natd.conf uses only one redirect: redirect_port real.web.server.IP:8080 Is the second redirect above part of your problem? Seems odd. Sorry, I haven't time to offer any specific advice on your ipfw rules except to suggest that liberal use of logging can help you isolate any bad assumptions really quickly, especially if you are able to test in a controlled lab environment so there isn't a lot of noise. -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) gregb at scls.lib.wi.us, (608) 266-6348 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
