Re: problem with IPF rules - port 80 not accessible

[Erik Norgaard]

jonas wrote:


the httpd is not accessible from the internet and i don't understant
why, i probably made some stupid mistake in the firewall rules... this
is the first time i'm setting up a firewall from scratch.


Do you at all have access?


(any errors in it? outbound internet acces works fine)


I shall try to disect your ruleset:

@1 pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 port = 80 
@2 pass in log quick on ng0 proto tcp from any to 192.168.0.1/32 port = 443 
@3 pass in log quick on ng0 proto tcp from any to 192.168.0.1/32 port = 22 
@4 pass in log quick on ng0 proto udp from any to 192.168.0.1/32 port = 22 


Do you see anything strange in the first rule compared to the following 
three? You said ssh worked right?



where rl0 is the LAN interface, rl1 is connected to a DSL-modem, ng0 is
the tunnel interface mpd creates, 192.168.0.1 is the IP of my
freebsd gateway and 172.16.0.1 is the IP of the PPTP-server (a cisco
device i think).


You should make an ascii sketch, it's far easier to understand which 
iterface is connected to what and where traffic goes.


Cheers, Erik
--
Ph: +34.666334818  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: problem with IPF rules - port 80 not accessible

[jonas]

On Mon, 19 Sep 2005 17:49:49 +0200
Erik Norgaard [EMAIL PROTECTED] wrote:

 jonas wrote:
 
  the httpd is not accessible from the internet and i don't understant
  why, i probably made some stupid mistake in the firewall rules...
  this is the first time i'm setting up a firewall from scratch.
 
 Do you at all have access?

i can access the webserver from my LAN and from the university.
ssh from the university doesn't seem to work

 
  (any errors in it? outbound internet acces works fine)
 
 I shall try to disect your ruleset:
 
  @1 pass in log quick on ng0 proto tcp from any to 128.176.0.0/16
  port = 80 @2 pass in log quick on ng0 proto tcp from any to
  192.168.0.1/32 port = 443 @3 pass in log quick on ng0 proto tcp
  from any to 192.168.0.1/32 port = 22 @4 pass in log quick on ng0
  proto udp from any to 192.168.0.1/32 port = 22 
 
 Do you see anything strange in the first rule compared to the
 following three? You said ssh worked right?

eh.. well, those other rules where a bit old :) i changed them now to
say 128.176.0.0/16 as well.

 
  where rl0 is the LAN interface, rl1 is connected to a DSL-modem,
  ng0 is the tunnel interface mpd creates, 192.168.0.1 is the IP of my
  freebsd gateway and 172.16.0.1 is the IP of the PPTP-server (a cisco
  device i think).
 
 You should make an ascii sketch, it's far easier to understand which 
 iterface is connected to what and where traffic goes.

ok, i'll try, but don't complain if its crappy :)


 [laptop]
192.168.0.2 (bfe0)
|   
|
  [hub]
|
|
192.168.0.1 (rl0)
[freebsd gateway]
172.16.x.y (rl1)--DSL-modem-[some gateway]-172.16.0.1
|  172.16.192.2 |
\___PPTP-tunnel_/


128.176.a.b(ng0)
   |
 [ISP-gateway]
128.176.239.193
   |
   [internet]

hmm... 172.16.x.y is the IP i get assigned by DHCP
and the one i reach the pptp-server 172.16.0.1 through 172.16.192.2
128.176.a.b is the IP i get assigned from the pptp-server, so i can
reach the public internet through the gateway 128.176.239.193.
so 128.176.a.b. is my public IP address.

so in fact the traffic goes this way(at least this is how i understand
it):

laptop---freebsd gateway:(GRE encapsulate)---172.16.192.2 \
---172.16.0.1:(unencapsulate)---128.176.239.193---internet

and

internet---128.176.239.193---172.16.0.1(GRE encapsulate) \
---172.16.192.2---freebsd gateway:(unencapsulate)---laptop

is this correct?


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]