Divert port 80 to internal server

[Chris Hill]

I'm trying to set up an internal machine to serve all my web sites. I
have one routable IP and a slew of inside machines on 192.168.1.*, one
of which is to be the web server.

My gateway machine (running the ipfw in question) is an ancient FreeBSD
running ipfw and natd:

# uname -a
FreeBSD mail.monochrome.org 3.3-RELEASE FreeBSD 3.3-RELEASE #0: (etc...)

I'm trying to set up a rule under ipfw which will send all requests for
port 80 to the internal machine. The web server's name is faro and its
internal IP is defined in /etc/hosts all over my LAN. I've tried a bunch
of different ipfw commands in /etc/rc.firewall, such as

$fwcmd add divert 80 tcp from any to faro 80 setup
$fwcmd add fwd ${oip} 80 tcp from any to faro 80 setup
$fwcmd add allow tcp from any to faro 80 setup

(not all at once, of course). In all cases, 'ipfw show' gives the
expected result with the correct IP shown in the rule as defined in
/etc/rc.firewall. I'm pretty sure the basic setup (other than this
issue) is OK, since it's been running fine for years. Right now, the
rule set is

# ipfw show
00100 5884 2573012 divert 8668 ip from any to any via ed1
00100  302   36118 allow ip from any to any via lo0
002000   0 deny ip from 192.168.1.0/24 to any in recv ed1
003000   0 deny ip from 209.190.235.128/25 to any in recv xl0
004000   0 deny ip from 172.16.0.0/12 to any via ed1
005000   0 deny ip from any to 172.16.0.0/12 via ed1
006000   0 deny ip from 10.0.0.0/8 to any via ed1
007000   0 deny ip from any to 10.0.0.0/8 via ed1
00800 9008 4903771 allow tcp from any to any established
009004 240 allow tcp from any to 209.190.235.180 25 setup
010000   0 allow tcp from any to 209.190.235.180 53 setup
011000   0 allow tcp from any 53 to any 53
012000   0 allow udp from any 53 to any 53
013000   0 allow tcp from any 53 to any 1023-65535
01400  427   81559 allow udp from any 53 to any 1023-65535
01500   18 792 allow tcp from any 1023-65535 to any 53
01600  432   27458 allow udp from any 1023-65535 to any 53
01700   16 768 allow tcp from any to any 22 setup
018004 240 allow tcp from any to any 113 via xl0 setup
019000   0 allow tcp from any 20 to any 1023-65535
020000   0 allow tcp from any 1023-65535 to any 21
021000   0 allow tcp from any to 192.168.1.1 110 setup
022000   0 allow tcp from any to 209.190.235.180 110 setup
02300   813916 deny tcp from any to any in recv ed1 setup
024000   0 allow tcp from any to 192.168.1.7 80 setup
02500  240   11536 allow tcp from any to any setup
02600   948072 allow icmp from any to any
027000   0 allow udp from any 53 to 209.190.235.180
028000   0 allow udp from 209.190.235.180 to any 53
02900  235   17860 allow udp from any 123 to 209.190.235.180
03000  310   23560 allow udp from 209.190.235.180 to any 123
03100  700   66275 allow ip from 192.168.1.0/24 to any
03200   362736 allow ip from any to 192.168.1.0/24
03300  293   31058 deny ip from any to any
65535  137   10852 allow ip from any to any
#

Rule 2400 is the one giving me grief at the moment. Bottom line, none of
this seems to work; any by-name http connection is refused, but
connections from inside by IP address get me the server's default page
just fine, so I know httpd is running on the web server machine.

I have searched google, alltheweb, and the -questions@ archive, as well
as 'man ipfw' and 'man divert', but have not found anything that I can
both understand and use.

Any idea of a useable ipfw rule that will work for this application?

Thanks in advance.

--
Chris Hill   [EMAIL PROTECTED]
** [ Busy Expunging | ]

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Divert port 80 to internal server

[Erik Trulsson]

On Sun, Nov 02, 2003 at 08:20:48PM -0500, Chris Hill wrote:
 I'm trying to set up an internal machine to serve all my web sites. I
 have one routable IP and a slew of inside machines on 192.168.1.*, one
 of which is to be the web server.
 
 My gateway machine (running the ipfw in question) is an ancient FreeBSD
 running ipfw and natd:
 
 # uname -a
 FreeBSD mail.monochrome.org 3.3-RELEASE FreeBSD 3.3-RELEASE #0: (etc...)

Considered updating?  I am fairly sure there are a number of bugs and
security problems that have been fixed since 3.3 came out.

 
 I'm trying to set up a rule under ipfw which will send all requests for
 port 80 to the internal machine. The web server's name is faro and its
 internal IP is defined in /etc/hosts all over my LAN. I've tried a bunch
 of different ipfw commands in /etc/rc.firewall, such as


Take a look at the '-redirect_port' option to natd(8).  I believe it
does exactly what you want.  Let natd handle the redirection rather
than ipfw.


-- 
Insert your favourite quote here.
Erik Trulsson
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Divert port 80 to internal server

[Chip]

Chris Hill wrote:
snip
Any idea of a useable ipfw rule that will work for this application?
Best let natd.conf handle the redirect, like this (I have an old fbsd4.0 
box) -

use_sockets yes
port 8668
alias_address outside.nic.address
redirect_port tcp 192.168.1.10:80 80
192.168.1.10 is the inside web server ip address. Change it to whatever 
yours is. Alias is the nic facing the internet on the firewall box. 
Change it accordingly.
Your rc.firewall (whatever you called the rules file) should have the 
lines in it to read the natd.conf file before loading the firewall rules.
Hope that helps,
Chip

Thanks in advance.

--
Chris Hill   [EMAIL PROTECTED]
** [ Busy Expunging | ]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
.



___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]