From: Alexander Hall (alexanderbeard.se)
Date: Wed May 28 2003 - 19:56:54 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: "Alexander Hall" <alexanderbeard.se>
> From: "corgi corgi" <corgimaxhotmail.com>
> > What I have: openbsd 3.3 running default apache (www.example.com) and pf
> and
> > nat on cable modem
> >
> > Problem: I want to have all outside connections to www.example.com:8080
to
> > access my apache server. I've been trying to do this via pf.
> >
> > My pf rules:
> >
> > set block-policy return
> >
> > scrub in all
> >
> > nat on fxp0 from fxp1:network to any -> (fxp0)
> > nat on fxp0 proto tcp from 127.0.0.1 port 80 to any -> (fxp0)
> > rdr on fxp0 proto tcp from any to (fxp0) port 8080 -> 127.0.0.1 port 80
> >
> > block in on fxp0 all
> > block out on fxp0 all
> >
> > pass in on fxp0 inet proto tcp from any to (fxp0) port { 22, 8080 }
> > modulate state flags S/SAFR
> >
> > pass out log on fxp0 inet proto tcp from (fxp0) to any port { 22, 25,
80,
> > 119, 443, 8080 } modulat
> > e state flags S/SAFR
> >
> > What am I doing wrong? Is this the right approach using pf to
127.0.0.1?
> Is
> > this okay security-wise (keep in mind I know the webserver and the
> firewall
> > shouldn't be on the same machine but other than that...)? I can access
my
> > website internally but not from the outside. I suspect my isp won't
allow
> > port 80 so that is why I want users to be able to access it via port
8080.

How could I miss this.

> > ...
>
> Assuming the server is also listening on 127.0.0.1, it should work. What's
> bad about using port 80 (or configuring apache to use port 8080)?
>

Sorry. Tired. Forget the port 80 part...

> Anyway, block/pass rules are evaluated after nat/binat/rdr etc, so you
> should have a rule like:
>
> pass in on fxp0 proto tcp from any to 127.0.0.1 port 80 modulate state...
>
> I don't think you need to open port 8080.
>
> /Alexander

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]