[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RDR for internal machine
Zitiere Darley Ware <email@example.com>:
> 1. I have webserver on the internal LAN which listens on port 8000. I can
> view the webserver internally by IP and by name (using LMHOST records). I
> have not however been able to access the internal webserver from the
> outside. I saw a post the weekend about name based virtualhosting on web
> servers. This does not seem to apply to me as I have the server setup to
> respond to IP and have no virtualdomains configured. So I guess my question
> is do I have my redirect setup correctly, and if so where lies the problem?
No, you're blocking the redirected request. Redirection happens before the
evaluation of pass/block rules. So
> rdr on dc0 proto tcp from any to (dc0) port 8000 -> 192.168.XX.71 port 8000
redirects the request to 192.168.xx.71:8000 on dc0, and
> block in log all
> pass in quick on $if_ext proto tcp from any to $if_ext/24 port = 8000
does not let it pass, because the destination for the request is not $if_ext
but 192.168.XX.71. So if you change it to
> pass in quick on $if_ext proto tcp from any to 192.168.XX.71 port = 8000
> keep state
it should work.
> 2. (and this one really is not that important) I can not seem to get a
> response to ICMP to outside addresses. I can ping both directions from the
> firewall and I believe my pings are getting out, but the responses to not
> return to the internal clients.
If i understand you correctly, pinging works from the firewall in all
directions (inwards and outwards), but not from internal clients to servers
outside the firewall. Add
> pass in on $if_int inet proto icmp all icmp-type 8 code 0 keep state
to your rules for your internal interface, and all should be fine. You're
blocking the pings on your internal interface, if i'm not mistaken.
Hope to have helped,