From owner-freebsd-questions@FreeBSD.ORG Tue Jun 24 08:00:59 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B647637B401 for ; Tue, 24 Jun 2003 08:00:59 -0700 (PDT) Received: from mta9.adelphia.net (mta9.adelphia.net [64.8.50.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id C59DA43F3F for ; Tue, 24 Jun 2003 08:00:58 -0700 (PDT) (envelope-from wmoran@potentialtech.com) Received: from potentialtech.com ([24.53.161.217]) by mta9.adelphia.net (InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with ESMTP id <20030624150058.YJSU1347.mta9.adelphia.net@potentialtech.com>; Tue, 24 Jun 2003 11:00:58 -0400 Message-ID: <3EF867AA.8060700@potentialtech.com> Date: Tue, 24 Jun 2003 11:00:58 -0400 From: Bill Moran User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3) Gecko/20030429 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Gav...." References: <001301c33a58$bbfb5690$0100a8c0@madaboutipv6> In-Reply-To: <001301c33a58$bbfb5690$0100a8c0@madaboutipv6> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: Web Server not allowing external visitors X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jun 2003 15:01:00 -0000 Gav.... wrote: > Hi, > > Subject says it all really, what good is a website if only I can view it? > > Ok, brief history of problem and setup details, I'm sure I'll leave > something out you need. > > I had 3 computers all run MS and Apache2 Web Server was on the main one > connecting to the net via ADSL and using dyndns.org client to update the > dynamic IP address. No probs. > > I then decide to change my setup and add a FreeBSD Router/Firewall .and. a > separate (NT) Web Server. > I installed my dns update client onto the new web server , enabled NATd (am > connected via PPPoA/E) , enabled port_forward tcp rules on port 80 to point > to this Web Server machine. I also tried IPFW rules etc etc and could not > get the outside world to connect. I thought I would instead put the Web > Server (until I know better) onto the FreeBSD router machine. > > Still no go, All my internal machines can - by typing in the registered > domain names, access the web server ok, the Apache Test page comes up ok. So > by typing in www:mysite:com I get the sites ok. This I don't really > understand. Surely my other computers must be going to the external www , > getting the domain name resolved, getting the dynamic IP address allocated > to me , and then coming back to my FreeBSD router where it gets served the > web site. So why can't anyone else now access it.?? > > I'd love to give you a url to test it but this is a public forum and my > router is still not very secure at the moment, however I do have trusted > people testing it for me regularly. > > Now , settings I think of relevance (having tried all sorts of setups using > different techniques , I may have mixed up some settings and probably have a > cocktail of settings) are (syntax copied exactly) :- > > in /etc/rc.conf. > > ppp_nat="YES" > defaultrouter="NO" > firewall_enable="YES" > firewall_type="OPEN" // (Yes I know but whilst testing!) > natd_enable="YES" > natd_interface="tun0" > natd_flags="-f /etc/natd.conf" > #hostname="mydomain" // I left this commented out for now ? > > There are other settings in this file of course but felt only the above > relevant to this post. > > in /etc/natd.conf. > > interface tun0 > dynamic yes > > in /etc/resolv.conf > > domain mydomain.com > nameserver 11.2.333.44 > nameserver 11.2.333.55 > > //above values changed! > > in /etc/rc.firewall > > /sbin/ipfw -f flush > /sbin/ipfw add divert natd all from any to any via tun0 > /sbin/ipfw add divert natd tcp from 192.168.0.2 80 to any > /sbin/ipfw add divert natd tcp from any to 192.168.0.2 80 > /sbin/ipfw add divert natd tcp from any to 192.168.2.1 80 > /sbin/ipfw add divert natd tcp from 192.168.2.1 80 to any > /sbin/ipfw add pass all from any to any > // temporary measure again. I would suggest using natd's divert capability, because I've had it working for a while with no problems. I'm not sure if what you're trying to do will even work. Alter your natd_flags to something like "-f /etc/natd.conf -redired_port tcp 192.168.0.1:80 80" (this will direct anything that comes in on port 80 to 192.168.0.1 ... see the man page for natd for more details on the syntax) > // 192.168.0.2 is on ed0 card going to internal network > //192.168.2.1 is on ed2 card going to another network (eventually web server > proper) > > At this point I'd like to mention something in my ifconfig readout. > > Now, ed0 ed2 lp0 ppp0 seem to me to be fine (and must be if internal network > can browse internet etc) > > tun0 , although above suggests it is working fine , gives me an unusual > alias address. :- > > tun0: flags=8051(UP,POINTTOPOINT,RUNNING,MULTICAST> mtu 1500 > inet 14x1xx.xxx.xxx --> 172.31.22.152 netmask 0xffffff00. I've seen this before. A lot of ISPs are using private IPs for a lot of their routers and hop points. If everything is configured properly, it works OK and doesn't cause problems (that I've seen) but ... Get your testers to try traceroutes to see how far traffic is getting. I had an ISP once that had an endless routing loop in one of their routers that it took us a week to convince them wasn't our mistake. Also ... can the testers connect via IP or hostname? Can they ping Ip or hostname? > Ok, I've masked my ISP assig ed IP address for now as it is semi-permanent, > but why has it aliased with a Class C > internal IP address, when all my network is Class B 192.x.x.x addresses , > can this be the cause of why external visitors can not access my sites.??? > > What other information do you need ??? The results of ping and traceroute tests above would help narrow things down. -- Bill Moran Potential Technologies http://www.potentialtech.com