Date: Tue, 19 Sep 2000 13:35:56 CDT From: "Konan Houphoue" <bahobab@hotmail.com> To: cjclark@alum.mit.edu Cc: ari@suutari.iki.fi, marcs@draenor.org, archie@whistle.com, freebsd-net@freebsd.org Subject: Re: Port 80 redirect: Good news!! Message-ID: <F43ui3hHnLOh1GSuHjW0000e994@hotmail.com>
next in thread | raw e-mail | index | archive | help
Crist, This is my "creation" out of desperation. THese rules are not being used. ----------- #My rules #${fwcmd} add pass tcp from ${oip} to ${inet}:${imask} 80 in via ${iip} setup #${fwcmd} add pass tcp from ${oif} to any in via ${iif} setup ----------- What do you think about the points made by Ben? It should be a standard and (somehow) easy rules to do what I'm planning to to. I don't think I am the first person to do this, am I? How do I join the FreeBSD-net discussion thread? Thanks all ----Original Message Follows---- From: "Crist J . Clark" <cjclark@reflexnet.net> Reply-To: cjclark@alum.mit.edu To: Konan Houphoue <bahobab@hotmail.com> CC: ari@suutari.iki.fi, marcs@draenor.org, archie@whistle.com, freebsd-net@freebsd.org Subject: Re: Port 80 redirect: Good news!! Date: Mon, 18 Sep 2000 20:54:23 -0700 MIME-Version: 1.0 Received: from [64.6.192.82] by hotmail.com (3.2) with ESMTP id MHotMailBB902ECA003240042A164006C05209680; Mon Sep 18 20:55:55 2000 Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 18 Sep 2000 20:53:50 -0700 Received: (from cjc@localhost)by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8J3sOe09324;Mon, 18 Sep 2000 20:54:24 -0700 (PDT)(envelope-from cjc) From cjc@149.211.6.64.reflexcom.com Mon Sep 18 20:56:57 2000 Message-ID: <20000918205423.E367@149.211.6.64.reflexcom.com> References: <F135rByg67HF4x0Hgx10000d75b@hotmail.com> X-Mailer: Mutt 1.0i In-Reply-To: <F135rByg67HF4x0Hgx10000d75b@hotmail.com>; from bahobab@hotmail.com on Mon, Sep 18, 2000 at 10:00:42AM -0500 Return-Path: cjc@149.211.6.64.reflexcom.com On Mon, Sep 18, 2000 at 10:00:42AM -0500, Konan Houphoue wrote: > Thanks to all of you who tried to help me with this problem. > And I with Ari about the rules a the begining of /etc/rc.firewall > > A little reminder. > The issue was that I'm trying to redirect all tcp/port 80 requests that > arrive on the outside interface of my firewall to an IIS server that resides > on my internal private network. > Before the idea to redirect port 80, my web pages were served by Apache 1.3 > on the firewall server, and everything was working just fine. > > So I was advided to use the "-redirect_port proto targetIP:port port" flag > in /etc/rc.conf: > > firewall_enable="YES" > firewall_type="simple" > natd_flags="-redirect_port tcp 192.168.1.40:80 80" > > But the port forwarding rule was not working. > Howerver, with firewall_type="open", the forwarding works. > > I tried all the sugestions I recieved but the forwarding always fails if > firewall_type="simple". > > Then I went on to comment out the rules one by one. > Here'e the rule in the "simple" section of /etc/rc.firewall that's blocking > the forwarding: > > # Reject&Log all setup of incoming connections from the outside > ${fwcmd} add deny log tcp from any to any in via ${oif} setup > > When this rule is commented, everything works well. > > Now could you tell me whether doing so opens a security breach? Yes. You pretty much might as well be using the 'open' configuration if you comment that out. Like it says, that's rule that disallows arbitrary incoming connections. Now, let's see how to edit these rules. [snip] > # Allow access to our WWW > ${fwcmd} add pass tcp from any to ${oip} 80 setup This rule is useless since we redirect this traffic. You want, ${fwcmd} add pass tcp from any to ${internal_http} 80 in via ${oif} setup > #My rules > #${fwcmd} add pass tcp from ${oip} to ${inet}:${imask} 80 in via ${iip} setup This rule seems strange. Pass traffic FROM the outer IP address to the INTERNAL net that is coming IN the internal interface? I think s/in/out/? > #${fwcmd} add pass tcp from ${oif} to any in via ${iif} setup Again, huh? The previous rule is a subset of this rule, i.e. anything that was passed in the previous rule would pass this one. The previous rule is unnecessary. Once you get this figured out, you can make it a stateful firewall rather than having the 'pass established' rule. ;) -- Crist J. Clark cjclark@alum.mit.edu _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F43ui3hHnLOh1GSuHjW0000e994>