[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RDR for internal machine



Zitiere Darley Ware <darley@thewares.net>:
> 1.  I have webserver on the internal LAN which listens on port 8000.  I can
> view the webserver internally by IP and by name (using LMHOST records). I
> have not however been able to access the internal webserver from the
> outside.  I saw a post the weekend about name based virtualhosting on web
> servers.  This does not seem to apply to me as I have the server setup to
> respond to IP and have no virtualdomains configured.  So I guess my question
> is do I have my redirect setup correctly, and if so where lies the problem?
No, you're blocking the redirected request. Redirection happens before the 
evaluation of pass/block rules. So
> rdr on dc0 proto tcp from any to (dc0) port 8000 -> 192.168.XX.71 port 8000
redirects the request to 192.168.xx.71:8000 on dc0, and
> block in log all
> pass in quick on $if_ext proto tcp from any to $if_ext/24 port = 8000
does not let it pass, because the destination for the request is not $if_ext 
but 192.168.XX.71. So if you change it to 
> pass in quick on $if_ext proto tcp from any to 192.168.XX.71 port = 8000
>         keep state
it should work.
> 2.  (and this one really is not that important)  I can not seem to get a
> response to ICMP to outside addresses.  I can ping both directions from the
> firewall and I believe my pings are getting out, but the responses to not
> return to the internal clients.
If i understand you correctly, pinging works from the firewall in all 
directions (inwards and outwards), but not from internal clients to servers 
outside the firewall. Add
> pass in on $if_int inet proto icmp all icmp-type 8 code 0 keep state
to your rules for your internal interface, and all should be fine. You're 
blocking the pings on your internal interface, if i'm not mistaken.
> Thanks,
> 
> Darley
Hope to have helped,
Clemens