 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 8 Feb 2002, Phil Buckley wrote:
> Well, I installed a nice new copy of openBSD30 as a firewall/dhcp box
> yesterday. Everything is working well except for one NAT redirect...
>
> I can't get web traffic to push through to the internal/LAN webserver...
> any help is appreciated
Have you done any packet sniffing to see where the connection is
getting stuck? A look at tcpdump on both interfaces might provide a clue.
> my /etc/nat.conf only has 2 lines, so there isn't much going on (ep0 is
> the external ethernet , rl0 in the internal one)
>
> nat on ep0 from 192.168.1.0/24 to any -> 67.105.157.190
> rdr on ep0 from any to any port 80 -> 192.168.1.80 port 80
This looks sane, but not the way I'd do it. I like to make things as
specific as possible, so I'd write the rdr line as:
rdr on ep0 from any to 67.105.157.190 port 80 -> 192.168.1.80 port 80
This assumes that your public IP is 67.105.157.190, and your internal
web server is 192.168.1.80.
> Just in case I've screwed up my packet filtering I'll include it here...
> (/etc/pf.conf)
>>snip<<
> # allow others to use http and https
> pass in quick on ep0 inet proto tcp from any to any port = 22 flags S/SA
> pass in quick on ep0 inet proto tcp from any to any port = 80 flags S/SA
> pass in quick on ep0 inet proto tcp from any to any port = 443 flags S/SA
I didn't see any "block out" rules, but I'd still add a "keep state" to
these rules. If I'm remembering correctly, you're ONLY allowing SYN
packets in to your web server, and the rest of the connection is blocked.
Even though you have a "pass out...keep state" rule later, I don't think
that will match these connections, as PF will only create a state entry
when it sees the whole three-way handshake. You might also want to lock
these rules down to only the specific internal hosts that you intend to
connect to remotely.
- --
-Matt
Very funny Scotty. Now beam down my clothes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8ZEfec8/WFSz+GKMRAkMPAKCDMfrry3MHiDYG4nO1mTKp+ZvDXACfTcxP
I3DudAGo8r2k4l90uFe21sQ=
=xjgG
-----END PGP SIGNATURE-----
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
