From owner-freebsd-questions@FreeBSD.ORG  Mon Sep 19 15:26:38 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0D0C016A41F
	for <freebsd-questions@freebsd.org>;
	Mon, 19 Sep 2005 15:26:38 +0000 (GMT)
	(envelope-from jonas.de.buhr@gmx.net)
Received: from mail.gmx.net (pop.gmx.de [213.165.64.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id 4B87D43D45
	for <freebsd-questions@freebsd.org>;
	Mon, 19 Sep 2005 15:26:36 +0000 (GMT)
	(envelope-from jonas.de.buhr@gmx.net)
Received: (qmail invoked by alias); 19 Sep 2005 15:26:35 -0000
Received: from VPNPOOL01-0415.UNI-MUENSTER.DE (EHLO localhost)
	[128.176.151.169]
	by mail.gmx.net (mp036) with SMTP; 19 Sep 2005 17:26:35 +0200
X-Authenticated: #351132
Date: Mon, 19 Sep 2005 17:26:42 +0200
From: jonas <jonas.de.buhr@gmx.net>
To: freebsd-questions@freebsd.org
Message-ID: <20050919172642.45408cf9@localhost>
X-Mailer: Sylpheed-Claws 1.9.11 (GTK+ 2.6.4; i386-portbld-freebsd5.4)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Subject: problem with IPF rules - port 80 not accessible
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2005 15:26:38 -0000

hi!

i feel kind of stupid about this :( ...
i'm using a freebsd gateway to manage my internet connection, which is
also running a httpd to provide a small website and (in the future ;) )
some system manegement,statistics etc.

the httpd is not accessible from the internet and i don't understant
why, i probably made some stupid mistake in the firewall rules... this
is the first time i'm setting up a firewall from scratch.

i'm running:

FreeBSD router.dbnet 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7
#0: Fri Sep 16 14:36:20 CEST 2005     root@router.dbnet:/usr/obj/usr/
src/sys/GENERIC  i386

lighttpd-1.4.3 (ssl) - a light and fast webserver
Build-Date: Sep 17 2005 00:50:23

ipf: IP Filter: v3.4.35 (336)
Kernel: IP Filter: v3.4.35              
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0


i use mpd to establish a pptp-tunnel to my university network (which
routes my traffic to the internet). my mpd version is 3.18.

routing table:

Internet:
Destination        Gateway            Flags    Refs      Use  Netif
Expire default            128.176.239.193    UGS         0    46442
ng0 127.0.0.1          127.0.0.1          UH          1     2687    lo0
128.176.151.169    lo0                UHS         0        0    lo0
128.176.239.193    128.176.151.169    UH          1        0    ng0
172.16.0.1         172.16.192.2       UGHS        0    42599    rl1
172.16.192/21      link#2             UC          0        0    rl1
172.16.192.2       00:08:7d:e0:98:70  UHLW        1        0    rl1
1015 172.16.196.233     127.0.0.1          UGHS        0        0    lo0
192.168.0          link#1             UC          0        0    rl0
192.168.0.1        00:50:fc:5f:c9:ba  UHLW        0        2    lo0
192.168.0.2        00:00:f0:81:f1:75  UHLW        0    44640    rl0
841

(any errors in it? outbound internet acces works fine)

my IPF-rules:
@1 pass out log quick on ng0 from any to any keep state
@2 pass out log quick on rl1 from any to 172.16.0.1/32 keep state
@3 block out log quick on rl1 from any to any
@1 pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 port =
80 @2 pass in log quick on ng0 proto tcp from any to 192.168.0.1/32
port = 443 @3 pass in log quick on ng0 proto tcp from any to
192.168.0.1/32 port = 22 @4 pass in log quick on ng0 proto udp from any
to 192.168.0.1/32 port = 22 @5 block in log quick on ng0 proto tcp from
any to any port = 111 @6 block in log quick on ng0 from any to any
@7 pass in log quick on rl1 from 172.16.0.1/32 to 172.16.0.0/16
@8 block in log quick on rl1 from any to any

where rl0 is the LAN interface, rl1 is connected to a DSL-modem, ng0 is
the tunnel interface mpd creates, 192.168.0.1 is the IP of my
freebsd gateway and 172.16.0.1 is the IP of the PPTP-server (a cisco
device i think).

i can access the webserver from an ssh login to a university computer,
but other people tell me, they can't connect to the httpd.
in the logs i can see that their packets to port 80 are passed, but
they don't seem to get any data back.
i'm confused... what am i doing wrong?

btw. you may notice the explicitly closed port 111, this is probably
not necessary because of rule @7, and i'm aware that it's idiotic to
run NFS on a gateway machine. let's not discuss that :) (i don't plan to
leave it on for 'production' use of that machine, but it's holding
some stuff i don't have space to put anyware else at the moment.)

thanks,
jonas