Date: Tue, 19 Sep 2000 13:35:56 CDT From: "Konan Houphoue" <bahobab@hotmail.com> To: cjclark@alum.mit.edu Cc: ari@suutari.iki.fi, marcs@draenor.org, archie@whistle.com, freebsd-net@freebsd.org Subject: Re: Port 80 redirect: Good news!! Message-ID: <F43ui3hHnLOh1GSuHjW0000e994@hotmail.com>
next in thread | raw e-mail | index | archive | help
Crist,
This is my "creation" out of desperation. THese rules are not being used.
-----------
#My rules
#${fwcmd} add pass tcp from ${oip} to ${inet}:${imask} 80 in via ${iip}
setup
#${fwcmd} add pass tcp from ${oif} to any in via ${iif} setup
-----------
What do you think about the points made by Ben?
It should be a standard and (somehow) easy rules to do what I'm planning to
to. I don't think I am the first person to do this, am I?
How do I join the FreeBSD-net discussion thread?
Thanks all
----Original Message Follows----
From: "Crist J . Clark" <cjclark@reflexnet.net>
Reply-To: cjclark@alum.mit.edu
To: Konan Houphoue <bahobab@hotmail.com>
CC: ari@suutari.iki.fi, marcs@draenor.org, archie@whistle.com,
freebsd-net@freebsd.org
Subject: Re: Port 80 redirect: Good news!!
Date: Mon, 18 Sep 2000 20:54:23 -0700
MIME-Version: 1.0
Received: from [64.6.192.82] by hotmail.com (3.2) with ESMTP id
MHotMailBB902ECA003240042A164006C05209680; Mon Sep 18 20:55:55 2000
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by
mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 18
Sep 2000 20:53:50 -0700
Received: (from cjc@localhost)by 149.211.6.64.reflexcom.com (8.11.0/8.11.0)
id e8J3sOe09324;Mon, 18 Sep 2000 20:54:24 -0700 (PDT)(envelope-from cjc)
From cjc@149.211.6.64.reflexcom.com Mon Sep 18 20:56:57 2000
Message-ID: <20000918205423.E367@149.211.6.64.reflexcom.com>
References: <F135rByg67HF4x0Hgx10000d75b@hotmail.com>
X-Mailer: Mutt 1.0i
In-Reply-To: <F135rByg67HF4x0Hgx10000d75b@hotmail.com>; from
bahobab@hotmail.com on Mon, Sep 18, 2000 at 10:00:42AM -0500
Return-Path: cjc@149.211.6.64.reflexcom.com
On Mon, Sep 18, 2000 at 10:00:42AM -0500, Konan Houphoue wrote:
> Thanks to all of you who tried to help me with this problem.
> And I with Ari about the rules a the begining of /etc/rc.firewall
>
> A little reminder.
> The issue was that I'm trying to redirect all tcp/port 80 requests that
> arrive on the outside interface of my firewall to an IIS server that
resides
> on my internal private network.
> Before the idea to redirect port 80, my web pages were served by Apache
1.3
> on the firewall server, and everything was working just fine.
>
> So I was advided to use the "-redirect_port proto targetIP:port port"
flag
> in /etc/rc.conf:
>
> firewall_enable="YES"
> firewall_type="simple"
> natd_flags="-redirect_port tcp 192.168.1.40:80 80"
>
> But the port forwarding rule was not working.
> Howerver, with firewall_type="open", the forwarding works.
>
> I tried all the sugestions I recieved but the forwarding always fails if
> firewall_type="simple".
>
> Then I went on to comment out the rules one by one.
> Here'e the rule in the "simple" section of /etc/rc.firewall that's
blocking
> the forwarding:
>
> # Reject&Log all setup of incoming connections from the outside
> ${fwcmd} add deny log tcp from any to any in via ${oif} setup
>
> When this rule is commented, everything works well.
>
> Now could you tell me whether doing so opens a security breach?
Yes. You pretty much might as well be using the 'open' configuration
if you comment that out. Like it says, that's rule that disallows
arbitrary incoming connections.
Now, let's see how to edit these rules.
[snip]
> # Allow access to our WWW
> ${fwcmd} add pass tcp from any to ${oip} 80 setup
This rule is useless since we redirect this traffic. You want,
${fwcmd} add pass tcp from any to ${internal_http} 80 in via ${oif}
setup
> #My rules
> #${fwcmd} add pass tcp from ${oip} to ${inet}:${imask} 80 in via ${iip}
setup
This rule seems strange. Pass traffic FROM the outer IP address to the
INTERNAL net that is coming IN the internal interface? I think s/in/out/?
> #${fwcmd} add pass tcp from ${oif} to any in via ${iif} setup
Again, huh? The previous rule is a subset of this rule, i.e. anything
that was passed in the previous rule would pass this one. The previous
rule is unnecessary.
Once you get this figured out, you can make it a stateful firewall
rather than having the 'pass established' rule. ;)
--
Crist J. Clark cjclark@alum.mit.edu
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F43ui3hHnLOh1GSuHjW0000e994>