From owner-freebsd-questions@FreeBSD.ORG Tue Nov 25 07:39:39 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7D1516A4CE for ; Tue, 25 Nov 2003 07:39:39 -0800 (PST) Received: from ns1.kende.com (ns1.kende.com [66.17.131.94]) by mx1.FreeBSD.org (Postfix) with SMTP id 864FF43FB1 for ; Tue, 25 Nov 2003 07:39:38 -0800 (PST) (envelope-from andras@kende.com) Received: (qmail 2236 invoked by uid 0); 25 Nov 2003 15:39:42 -0000 Received: from unknown (HELO ak) (24.1.163.166) by ns1.kende.com with SMTP; 25 Nov 2003 15:39:42 -0000 From: "Andras Kende" To: "'Clayton F'" , Date: Tue, 25 Nov 2003 09:39:33 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: <7B48AE56-1F27-11D8-B403-000393C2C922@bitheaven.net> Thread-Index: AcOzNGYmZ4xpyv9cRZ6uB8WvuKw7WQANYTXA Message-Id: <20031125153938.864FF43FB1@mx1.FreeBSD.org> Subject: RE: Problems using natd to access internal webserver X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2003 15:39:39 -0000 I think it's your firewall's "keep state" is the problem. Here is some examples which works great for me: This is working example: /etc/rc.conf gateway_enable="YES" natd_enable=yes natd_interface=fxp0 natd_flags="-f /etc/rc.natd" firewall_enable=YES firewall_script="/etc/rc.firewall" /etc/rc.natd redirect_port tcp 10.1.1.18:80 8000 /etc/rc.firewall $fwcmd add allow log tcp from any to any 8000 setup / kernel options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT Best regards, Andras Kende http://www.kende.com -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Clayton F Sent: Tuesday, November 25, 2003 3:12 AM To: freebsd-questions@FreeBSD.org Subject: Problems using natd to access internal webserver I am having trouble using natd to redirect incoming http requests to an internal web server. My ISP blocks incoming port 80 (the dogs!), so the browser needs to send its request on an unprivileged port - I chose port 5500 So in my web browser I enter url http://www.mydomain.com:5500/ My rc.conf sets up the natd redirect as as follows: natd_enable="YES" natd_interface="fxp0" natd_flags="-redirect_port tcp 192.168.1.99:80 5500" my firewall explicitly allows port 5500 entry as follows: pass in quick on fxp0 proto tcp from any to any port = 5500 keep state But when I point my web browser at port 5500, I get the following: "Could not open the page "http://www.mydomain.com:5500/" because Safari couldn't connect to the server "www.mydomain.com". With tcpdump set to listen on port 5500 I get the following output: 01:06:19.345827 e-66-117-83-2.empnet.net.12488 > bc120155.bendcable.com.5500: S 3657164703:3657164703(0) win 65535 (DF) 01:06:19.345988 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.12488: R 0:0(0) ack 3657164704 win 0 01:06:19.390964 e-66-117-83-2.empnet.net.4458 > bc120155.bendcable.com.5500: S 2671871142:2671871142(0) win 65535 (DF) 01:06:19.391015 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.4458: R 0:0(0) ack 2671871143 win 0 01:06:19.434339 e-66-117-83-2.empnet.net.55900 > bc120155.bendcable.com.5500: S 2109062641:2109062641(0) win 65535 (DF) 01:06:19.434390 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.55900: R 0:0(0) ack 2109062642 win 0 01:06:19.479086 e-66-117-83-2.empnet.net.33048 > bc120155.bendcable.com.5500: S 1018302934:1018302934(0) win 65535 (DF) 01:06:19.479130 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.33048: R 0:0(0) ack 1018302935 win 0 01:06:19.522875 e-66-117-83-2.empnet.net.60586 > bc120155.bendcable.com.5500: S 26968154:26968154(0) win 65535 (DF) 01:06:19.523022 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.60586: R 0:0(0) ack 26968155 win 0 01:06:19.578958 e-66-117-83-2.empnet.net.57944 > bc120155.bendcable.com.5500: S 1035247753:1035247753(0) win 65535 (DF) 01:06:19.578993 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.57944: R 0:0(0) ack 1035247754 win 0 01:06:19.623151 e-66-117-83-2.empnet.net.57938 > bc120155.bendcable.com.5500: S 1144796038:1144796038(0) win 65535 (DF) 01:06:19.623189 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.57938: R 0:0(0) ack 1144796039 win 0 01:06:19.666940 e-66-117-83-2.empnet.net.27714 > bc120155.bendcable.com.5500: S 347489487:347489487(0) win 65535 (DF) 01:06:19.666985 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.27714: R 0:0(0) ack 347489488 win 0 01:06:19.709585 e-66-117-83-2.empnet.net.40754 > bc120155.bendcable.com.5500: S 1869973581:1869973581(0) win 65535 (DF) 01:06:19.709612 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.40754: R 0:0(0) ack 1869973582 win 0 01:06:19.756122 e-66-117-83-2.empnet.net.18348 > bc120155.bendcable.com.5500: S 3628283803:3628283803(0) win 65535 (DF) 01:06:19.756152 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.18348: R 0:0(0) ack 3628283804 win 0 01:06:19.804295 e-66-117-83-2.empnet.net.52446 > bc120155.bendcable.com.5500: S 3652608703:3652608703(0) win 65535 (DF) 01:06:19.804377 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.52446: R 0:0(0) ack 3652608704 win 0 01:06:19.847865 e-66-117-83-2.empnet.net.18192 > bc120155.bendcable.com.5500: S 238075128:238075128(0) win 65535 (DF) 01:06:19.847897 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.18192: R 0:0(0) ack 238075129 win 0 01:06:19.891162 e-66-117-83-2.empnet.net.25176 > bc120155.bendcable.com.5500: S 60109903:60109903(0) win 65535 (DF) 01:06:19.891206 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.25176: R 0:0(0) ack 60109904 win 0 01:06:19.934624 e-66-117-83-2.empnet.net.41352 > bc120155.bendcable.com.5500: S 2942823322:2942823322(0) win 65535 (DF) 01:06:19.934652 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.41352: R 0:0(0) ack 2942823323 win 0 01:06:19.976920 e-66-117-83-2.empnet.net.25770 > bc120155.bendcable.com.5500: S 1830184345:1830184345(0) win 65535 (DF) 01:06:19.976947 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.25770: R 0:0(0) ack 1830184346 win 0 01:06:20.019365 e-66-117-83-2.empnet.net.37826 > bc120155.bendcable.com.5500: S 3428010868:3428010868(0) win 65535 (DF) 01:06:20.019392 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.37826: R 0:0(0) ack 3428010869 win 0 01:06:20.063532 e-66-117-83-2.empnet.net.57502 > bc120155.bendcable.com.5500: S 373758618:373758618(0) win 65535 (DF) 01:06:20.063574 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.57502: R 0:0(0) ack 373758619 win 0 01:06:20.112894 e-66-117-83-2.empnet.net.44448 > bc120155.bendcable.com.5500: S 3033730069:3033730069(0) win 65535 (DF) 01:06:20.112935 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.44448: R 0:0(0) ack 3033730070 win 0 01:06:20.155772 e-66-117-83-2.empnet.net.31148 > bc120155.bendcable.com.5500: S 134626080:134626080(0) win 65535 (DF) 01:06:20.155805 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.31148: R 0:0(0) ack 134626081 win 0 01:06:20.198041 e-66-117-83-2.empnet.net.23638 > bc120155.bendcable.com.5500: S 1299869796:1299869796(0) win 65535 (DF) 01:06:20.198067 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.23638: R 0:0(0) ack 1299869797 win 0 01:06:20.240643 e-66-117-83-2.empnet.net.20744 > bc120155.bendcable.com.5500: S 2584151359:2584151359(0) win 65535 (DF) 01:06:20.240671 bc120155.bendcable.com.5500 > e-66-117-83-2.empnet.net.20744: R 0:0(0) ack 2584151360 win 0 It appears the web server's attempt to make the connection is falling on deaf ears. (btw: I've confirmed the web server is up and running - if I set up a localhost port forward using ssh - aka "ssh -L 5500:192.168.1.99:80 myname@mydomain.com" I am able to access the web server) Any tips on what I'm doing wrong? Thanks! Clayton _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"