|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: pf question on rdr'ing http to localhost
From: Bryan Irvine (bryan.irvine
kingcountyjournal.com)
Date: Fri Jan 02 2004 - 11:56:15 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
If using at&t/comcast or miscellaneous others, they do indeed block port
80 on their routers(damn you code red!). Unless I'm missing something,
it's pointless to redirect http, because the requests never get to you.
You'd have to have a webpage somewhere else that does a meta refresh to
your server on different port if you really want to server from your
cable network.
Other than that, change ISP's. Might I suggest speakeasy (if in the
US)? They have an excellent "sysadmin" package.
http://www.speakeasy.net
--Bryan
On Fri, 2004-01-02 at 08:27, b h wrote:
> Hi,
>
> looks like either my ISP is preventing http requests
> to servers hanging on cable modems (my remote ssh
> still works, so some of my traffic is allowed to
> connect), so I tried using rdr to redirect to
> localhost on pf for http (tried 23, 8000 etc.).
>
> Not sure if this is a good way to do it or not.
> Requests from internal machines to
> http://xx.xx.xx.xx:23 work, but still not externally.
> I've been staring at this for a while wondering what
> line is causing the problem. following is my pf.conf
>
> ---------
> int_if = "fxp1"
> ext_if = "fxp0"
>
> tcp_services = "{ 22, 25, 80, 23 }"
> icmp_types = "echoreq"
>
> webserver="10.10.10.1"
> mailserver="10.10.10.1"
>
> priv_nets = "{ 192.168.0.0/16, 172.16.0.0/12 }"
>
> set block-policy return
> set loginterface $ext_if
> scrub in all
>
> nat on $ext_if from $int_if:network to any ->
> ($ext_if)
> rdr on { $int_if, $ext_if } proto tcp from any to any
> port 23 -> 127.0.0.1 port 80
>
> block log all
> pass quick on lo0 all
>
> block drop in quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
>
> pass in on $ext_if inet proto tcp from any to
> ($ext_if) port $tcp_services flags S/SA keep state
> pass in inet proto icmp all icmp-type $icmp_types keep
> state
> pass in on $int_if from $int_if:network to any keep
> state
>
> pass out on $int_if from any to $int_if:network keep
> state
> pass out on $ext_if proto tcp all modulate state flags
> S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
> ---------
>
> C:\>telnet xx.xx.xx.xx
> Connecting To xx.xx.xx.xx...Could not open connection
> to the host, on port 23: Connect failed
>
>
> so, not sure if this is the right approach - maybe I
> should just change what apache listens on to avoid
> this? I thought my method was a cleaner solution,
> however maybe I'm creating alternate problems?
>
> any help appreciated.
> .b.
>
>
> __________________________________
> Do you Yahoo!?
> Find out what made the Top Yahoo! Searches of 2003
> http://search.yahoo.com/top2003
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]