From owner-freebsd-mobile  Tue Oct 27 14:00:34 1998
Return-Path: <owner-freebsd-mobile@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA28912
          for freebsd-mobile-outgoing; Tue, 27 Oct 1998 14:00:34 -0800 (PST)
          (envelope-from owner-freebsd-mobile@FreeBSD.ORG)
Received: from tinker.com (troll.tinker.com [204.214.7.146])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA28888
          for <mobile@freebsd.org>; Tue, 27 Oct 1998 14:00:29 -0800 (PST)
          (envelope-from carol@tinker.com)
Received: by localhost (8.8.5/8.8.5)
Received: by mail.tinker.com via smap (V2.0)
	id xma006358; Tue Oct 27 15:54:24 1998
Received: by localhost (8.8.5/8.8.5) id QAA24261; Tue, 27 Oct 1998 16:03:43 -0600 (CST)
Received: by localhost  (NX5.67g/) id AA07031; Tue, 27 Oct 98 15:58:01 -0600
Message-Id: <9810272158.AA07031@localhost>
Content-Type: text/plain
Mime-Version: 1.0 (NeXT Mail 4.2mach v148)
Received: by NeXT.Mailer (1.148)
From: Carol Lyn Deihl <carol@tinker.com>
Date: Tue, 27 Oct 98 15:58:00 -0600
To: Can Altineller <altine@ee.fit.edu>
Subject: Re: ipfw and httpd.
Cc: mobile@FreeBSD.ORG
Reply-To: Carol Deihl <carol@tinker.com>
References: <Pine.BSF.4.05.9810260405000.594-100000@seraglio.xochi.net>
Sender: owner-freebsd-mobile@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Can Altineller wrote:

>	in my rc.firewall I have
>
>$fwcmd add pass tcp from any to ${ip} 80 setup
>
>	just as I have for port 22, 23, which work fine. However; when I
>telnet to myhost:80 from an external host; the myhost:80 does not respond
>at all. I've tcpdumped such an interaction and figured out that it does
>not syn back, other words, it does not connect at all. I've tried various
>other commands such as: ipdw add pass tcp from myip 80 to any setup ; and
>that does not seem to be working.

The rule you mentioned allows only the first packet
from a client to reach your web server, but you will need
additional rules for the rest of the packets from the
client, and for the reply packets from your server back
to the client.

I'd suggest rules like the following:

	$fwcmd add pass tcp from any to ${ip} 80 in
	$fwcmd add pass tcp from ${ip} 80 to any out established

The first rule lets clients send packets "in" to your
server. The second rule lets your server send
reply packets ("established") back "out" to the clients.

You may already have a rule near the end of your set
something like this:
	$fwcmd add pass tcp from ${ip} to any out established
Since this rule allows replies to all established
connections, you won't need the second rule above.

Carol Deihl
--
carol@tinker.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-mobile" in the body of the message