From owner-freebsd-net Mon Sep 18 20:55:50 2000 Delivered-To: freebsd-net@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 7D20837B422 for ; Mon, 18 Sep 2000 20:55:48 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 18 Sep 2000 20:53:50 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8J3sOe09324; Mon, 18 Sep 2000 20:54:24 -0700 (PDT) (envelope-from cjc) Date: Mon, 18 Sep 2000 20:54:23 -0700 From: "Crist J . Clark" To: Konan Houphoue Cc: ari@suutari.iki.fi, marcs@draenor.org, archie@whistle.com, freebsd-net@freebsd.org Subject: Re: Port 80 redirect: Good news!! Message-ID: <20000918205423.E367@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from bahobab@hotmail.com on Mon, Sep 18, 2000 at 10:00:42AM -0500 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Sep 18, 2000 at 10:00:42AM -0500, Konan Houphoue wrote: > Thanks to all of you who tried to help me with this problem. > And I with Ari about the rules a the begining of /etc/rc.firewall > > A little reminder. > The issue was that I'm trying to redirect all tcp/port 80 requests that > arrive on the outside interface of my firewall to an IIS server that resides > on my internal private network. > Before the idea to redirect port 80, my web pages were served by Apache 1.3 > on the firewall server, and everything was working just fine. > > So I was advided to use the "-redirect_port proto targetIP:port port" flag > in /etc/rc.conf: > > firewall_enable="YES" > firewall_type="simple" > natd_flags="-redirect_port tcp 192.168.1.40:80 80" > > But the port forwarding rule was not working. > Howerver, with firewall_type="open", the forwarding works. > > I tried all the sugestions I recieved but the forwarding always fails if > firewall_type="simple". > > Then I went on to comment out the rules one by one. > Here'e the rule in the "simple" section of /etc/rc.firewall that's blocking > the forwarding: > > # Reject&Log all setup of incoming connections from the outside > ${fwcmd} add deny log tcp from any to any in via ${oif} setup > > When this rule is commented, everything works well. > > Now could you tell me whether doing so opens a security breach? Yes. You pretty much might as well be using the 'open' configuration if you comment that out. Like it says, that's rule that disallows arbitrary incoming connections. Now, let's see how to edit these rules. [snip] > # Allow access to our WWW > ${fwcmd} add pass tcp from any to ${oip} 80 setup This rule is useless since we redirect this traffic. You want, ${fwcmd} add pass tcp from any to ${internal_http} 80 in via ${oif} setup > #My rules > #${fwcmd} add pass tcp from ${oip} to ${inet}:${imask} 80 in via ${iip} setup This rule seems strange. Pass traffic FROM the outer IP address to the INTERNAL net that is coming IN the internal interface? I think s/in/out/? > #${fwcmd} add pass tcp from ${oif} to any in via ${iif} setup Again, huh? The previous rule is a subset of this rule, i.e. anything that was passed in the previous rule would pass this one. The previous rule is unnecessary. Once you get this figured out, you can make it a stateful firewall rather than having the 'pass established' rule. ;) -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message