[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RDR for internal machine

In a message dated 3/31/03 11:43:18 AM Central Standard Time, haver@insecure.dk writes:

On Mon, Mar 31, 2003 at 10:53:09AM -0600, Darley Ware wrote:

>1.  I have webserver on the internal LAN which listens on port 8000.  I can
>view the webserver internally by IP and by name (using LMHOST records).  I
>have not however been able to access the internal webserver from the
>outside.  I saw a post the weekend about name based virtualhosting on web
>servers.  This does not seem to apply to me as I have the server setup to
>respond to IP and have no virtualdomains configured.  So I guess my question
>is do I have my redirect setup correctly, and if so where lies the problem?

And you permit packets on $internal_if going to internal web server? rdr
rules are not enough. Btw, filtering happens _after_ rdr, so you have to
permit packets after the translation.

What does tcpdump on webserver shows? Do you see any packets?

>2.  (and this one really is not that important)  I can not seem to get a
>response to ICMP to outside addresses.  I can ping both directions from the
>firewall and I believe my pings are getting out, but the responses to not
>return to the internal clients.

Lemme get this right. You ping hosts outside your LANs and don't get
responses back to the clients, but from the firewall itself, it works?

Check your rules. If you 'block all on $inside_if' or something, you
have to explicitly pass in/out icmp traffic on $inside_if.

Again, tcpdump output could be nice.

// haver

This might solve the internal pings problem.  Depending on the size of your internal nat and the trust you have of the users, you might want to have a rule in /etc/pf.conf as simple as:
pass in quick $int_if all
pass out quick on $int_if all keep state
pass out quick on $ext_if proto icmp all keep state

Allow pings initiated externally to come in and allow an outgoing response:
pass in quick on $ext_if inet proto icmp type 8 code 0 keep state

I don't understand the webhosting and virtualdomain situation, so I can't help you there.

Adam Wenzel