Date: Sun, 2 Nov 2003 20:20:48 -0500 (EST) From: Chris Hill <chris@monochrome.org> To: FreeBSD Questions List <questions@freebsd.org> Subject: Divert port 80 to internal server Message-ID: <20031102191139.F40186-100000@frambozen.monochrome.org>
next in thread | raw e-mail | index | archive | help
I'm trying to set up an internal machine to serve all my web sites. I have one routable IP and a slew of inside machines on 192.168.1.*, one of which is to be the web server. My gateway machine (running the ipfw in question) is an ancient FreeBSD running ipfw and natd: # uname -a FreeBSD mail.monochrome.org 3.3-RELEASE FreeBSD 3.3-RELEASE #0: (etc...) I'm trying to set up a rule under ipfw which will send all requests for port 80 to the internal machine. The web server's name is faro and its internal IP is defined in /etc/hosts all over my LAN. I've tried a bunch of different ipfw commands in /etc/rc.firewall, such as $fwcmd add divert 80 tcp from any to faro 80 setup $fwcmd add fwd ${oip} 80 tcp from any to faro 80 setup $fwcmd add allow tcp from any to faro 80 setup (not all at once, of course). In all cases, 'ipfw show' gives the expected result with the correct IP shown in the rule as defined in /etc/rc.firewall. I'm pretty sure the basic setup (other than this issue) is OK, since it's been running fine for years. Right now, the rule set is # ipfw show 00100 5884 2573012 divert 8668 ip from any to any via ed1 00100 302 36118 allow ip from any to any via lo0 00200 0 0 deny ip from 192.168.1.0/24 to any in recv ed1 00300 0 0 deny ip from 209.190.235.128/25 to any in recv xl0 00400 0 0 deny ip from 172.16.0.0/12 to any via ed1 00500 0 0 deny ip from any to 172.16.0.0/12 via ed1 00600 0 0 deny ip from 10.0.0.0/8 to any via ed1 00700 0 0 deny ip from any to 10.0.0.0/8 via ed1 00800 9008 4903771 allow tcp from any to any established 00900 4 240 allow tcp from any to 209.190.235.180 25 setup 01000 0 0 allow tcp from any to 209.190.235.180 53 setup 01100 0 0 allow tcp from any 53 to any 53 01200 0 0 allow udp from any 53 to any 53 01300 0 0 allow tcp from any 53 to any 1023-65535 01400 427 81559 allow udp from any 53 to any 1023-65535 01500 18 792 allow tcp from any 1023-65535 to any 53 01600 432 27458 allow udp from any 1023-65535 to any 53 01700 16 768 allow tcp from any to any 22 setup 01800 4 240 allow tcp from any to any 113 via xl0 setup 01900 0 0 allow tcp from any 20 to any 1023-65535 02000 0 0 allow tcp from any 1023-65535 to any 21 02100 0 0 allow tcp from any to 192.168.1.1 110 setup 02200 0 0 allow tcp from any to 209.190.235.180 110 setup 02300 81 3916 deny tcp from any to any in recv ed1 setup 02400 0 0 allow tcp from any to 192.168.1.7 80 setup 02500 240 11536 allow tcp from any to any setup 02600 94 8072 allow icmp from any to any 02700 0 0 allow udp from any 53 to 209.190.235.180 02800 0 0 allow udp from 209.190.235.180 to any 53 02900 235 17860 allow udp from any 123 to 209.190.235.180 03000 310 23560 allow udp from 209.190.235.180 to any 123 03100 700 66275 allow ip from 192.168.1.0/24 to any 03200 36 2736 allow ip from any to 192.168.1.0/24 03300 293 31058 deny ip from any to any 65535 137 10852 allow ip from any to any # Rule 2400 is the one giving me grief at the moment. Bottom line, none of this seems to work; any by-name http connection is refused, but connections from inside by IP address get me the server's default page just fine, so I know httpd is running on the web server machine. I have searched google, alltheweb, and the -questions@ archive, as well as 'man ipfw' and 'man divert', but have not found anything that I can both understand and use. Any idea of a useable ipfw rule that will work for this application? Thanks in advance. -- Chris Hill chris@monochrome.org ** [ Busy Expunging <|> ]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031102191139.F40186-100000>