From owner-freebsd-questions@FreeBSD.ORG Mon Sep 19 17:29:51 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DB1B16A41F for ; Mon, 19 Sep 2005 17:29:51 +0000 (GMT) (envelope-from jonas.de.buhr@gmx.net) Received: from mail.gmx.net (mail.gmx.de [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 234F043D4C for ; Mon, 19 Sep 2005 17:29:49 +0000 (GMT) (envelope-from jonas.de.buhr@gmx.net) Received: (qmail invoked by alias); 19 Sep 2005 17:29:48 -0000 Received: from VPNPOOL01-0415.UNI-MUENSTER.DE (EHLO localhost) [128.176.151.169] by mail.gmx.net (mp004) with SMTP; 19 Sep 2005 19:29:48 +0200 X-Authenticated: #351132 Date: Mon, 19 Sep 2005 19:29:54 +0200 From: jonas To: freebsd-questions@freebsd.org Message-ID: <20050919192954.6ac0e9a9@localhost> In-Reply-To: <432EDE1D.2050107@locolomo.org> References: <20050919172642.45408cf9@localhost> <432EDE1D.2050107@locolomo.org> X-Mailer: Sylpheed-Claws 1.9.11 (GTK+ 2.6.4; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Subject: Re: problem with IPF rules - port 80 not accessible X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 17:29:51 -0000 On Mon, 19 Sep 2005 17:49:49 +0200 Erik Norgaard wrote: > jonas wrote: > > > the httpd is not accessible from the internet and i don't understant > > why, i probably made some stupid mistake in the firewall rules... > > this is the first time i'm setting up a firewall from scratch. > > Do you at all have access? i can access the webserver from my LAN and from the university. ssh from the university doesn't seem to work > > > (any errors in it? outbound internet acces works fine) > > I shall try to disect your ruleset: > > > @1 pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 > > port = 80 @2 pass in log quick on ng0 proto tcp from any to > > 192.168.0.1/32 port = 443 @3 pass in log quick on ng0 proto tcp > > from any to 192.168.0.1/32 port = 22 @4 pass in log quick on ng0 > > proto udp from any to 192.168.0.1/32 port = 22 > > Do you see anything strange in the first rule compared to the > following three? You said ssh worked right? eh.. well, those other rules where a bit old :) i changed them now to say 128.176.0.0/16 as well. > > > where rl0 is the LAN interface, rl1 is connected to a DSL-modem, > > ng0 is the tunnel interface mpd creates, 192.168.0.1 is the IP of my > > freebsd gateway and 172.16.0.1 is the IP of the PPTP-server (a cisco > > device i think). > > You should make an ascii sketch, it's far easier to understand which > iterface is connected to what and where traffic goes. ok, i'll try, but don't complain if its crappy :) [laptop] 192.168.0.2 (bfe0) | | [hub] | | 192.168.0.1 (rl0) [freebsd gateway] 172.16.x.y (rl1)---------->DSL-modem----->[some gateway]----->172.16.0.1 | 172.16.192.2 | \___________________________PPTP-tunnel_____________________________/ 128.176.a.b(ng0) | [ISP-gateway] 128.176.239.193 | [internet] hmm... 172.16.x.y is the IP i get assigned by DHCP and the one i reach the pptp-server 172.16.0.1 through 172.16.192.2 128.176.a.b is the IP i get assigned from the pptp-server, so i can reach the public internet through the gateway 128.176.239.193. so 128.176.a.b. is my public IP address. so in fact the traffic goes this way(at least this is how i understand it): laptop--->freebsd gateway:(GRE encapsulate)--->172.16.192.2 \ --->172.16.0.1:(unencapsulate)--->128.176.239.193--->internet and internet--->128.176.239.193--->172.16.0.1(GRE encapsulate) \ --->172.16.192.2--->freebsd gateway:(unencapsulate)--->laptop is this correct?