|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: help with firewall and webserver
From: Alexander Hall (alexander
beard.se)
Date: Wed May 28 2003 - 19:53:23 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: "corgi corgi" <corgimaxhotmail.com>
> What I have: openbsd 3.3 running default apache (www.example.com) and pf
and
> nat on cable modem
>
> Problem: I want to have all outside connections to www.example.com:8080 to
> access my apache server. I've been trying to do this via pf.
>
> My pf rules:
>
> set block-policy return
>
> scrub in all
>
> nat on fxp0 from fxp1:network to any -> (fxp0)
> nat on fxp0 proto tcp from 127.0.0.1 port 80 to any -> (fxp0)
> rdr on fxp0 proto tcp from any to (fxp0) port 8080 -> 127.0.0.1 port 80
>
> block in on fxp0 all
> block out on fxp0 all
>
> pass in on fxp0 inet proto tcp from any to (fxp0) port { 22, 8080 }
> modulate state flags S/SAFR
>
> pass out log on fxp0 inet proto tcp from (fxp0) to any port { 22, 25, 80,
> 119, 443, 8080 } modulat
> e state flags S/SAFR
>
> What am I doing wrong? Is this the right approach using pf to 127.0.0.1?
Is
> this okay security-wise (keep in mind I know the webserver and the
firewall
> shouldn't be on the same machine but other than that...)? I can access my
> website internally but not from the outside. I suspect my isp won't allow
> port 80 so that is why I want users to be able to access it via port 8080.
> ...
Assuming the server is also listening on 127.0.0.1, it should work. What's
bad about using port 80 (or configuring apache to use port 8080)?
Anyway, block/pass rules are evaluated after nat/binat/rdr etc, so you
should have a rule like:
pass in on fxp0 proto tcp from any to 127.0.0.1 port 80 modulate state...
I don't think you need to open port 8080.
/Alexander
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]