Yes i had that.. I didn't send it do to that was the default.. i only
posted what i added..
ok. Thanks for your suggestions.. i found what the problem was today.
After posting the rc.firewall rules i really keep lookin at that for
the source of my problem. I ran tcpdump on the external interface (
tcpdump -i fxp0 port 80 )
and the internal interface ( tcpdump -i dc0 'not port ssh' ) (I
wanted to see all my traffic except my ssh traffic which i was loggin
as)
Then i went to the internal box and did a (tcpdump -i eth0 port 80) So
i can see if any traffic hits the box it at all..
So things i found was that packets WHERE hitting the external
interface (fxp0) and ( from tcpdump) the dest port was redirecting to
the internal ip of the box i wanted ( good thing), But i saw NO
traffic on the internal interface card (dc0) nor on the internal ip of
the box (eth0).
So that made me think that it was getting dropped somewhere.. so i
look in the log file for my denyied packets.. and sure enough there
was a rule (not the last one) that was deny the packets. once i
removed that rule.. i saw traffic flow through and web server came
alive. :)
Basically i had put a deny all rule higher in the "chain" of rules
than i wanted ( show below in my previous post of rc.firewall)
All is well now.. Thanks for the troubleshootin tips..
:)
On 15 Aug 2002 05:48:20 -0700, wsw...@hotmail.com (wsware) wrote:
>The orignal rc.firewall has a line that adds the divert rule.. do you
>still have this?
>Clip from rc.firewall
>---------------------
>case ${natd_enable} in
> [Yy][Ee][Ss])
> if [ -n "${natd_interface}" ]; then
> ${fwcmd} add divert natd all from any to any
>via ${natd_
>interface}
> fi
> ;;
> esac
>---------------------
>If you do "ipfw show" you should see a divert rule, without it a
>packet never gets to natd. It needs to be one of the first rules.
>(Trick: You can test internaly if the divert rule is "via any")
>%ipfw show
>00050 3669724 2054077598 divert 8668 ip from any to any via fxp0
>00100 117068 25512096 allow ip from any to any via lo0
>00200 0 0 deny ip from any to 127.0.0.0/8
>00300 0 0 deny ip from 127.0.0.0/8 to any
>65000 3669709 2054057003 allow ip from any to any
>65535 0 0 deny ip from any to any
>-Scott
>Sabation Hunter <i...@farscape.net> wrote in message <news:sfjjluccj64tg153sm97bcb3rgn32bqki5@4ax.com>...
>> At the time of the last post, i was testing externally from my box. (
>> i know of the nat translation issue trying to test this internally)
>> My rc.firewall rules will follow ..
>> Maybe i'm blocking it from getting to it even tho i have a rule for
>> port 80 to be accessable .. <shrug>
>> --- <rc.firewall>
>> # Allow TCP through if setup succeeded
>> ${fwcmd} add pass tcp from any to any established
>> ${fwcmd} add pass all from any to any via ${iif}
>> ${fwcmd} add pass all from ${onet}:${omask} to any out via
>> ${oif}
>> # Allow IP fragments to pass through
>> ${fwcmd} add pass all from any to any frag
>> # Allow setup of incoming email
>> ${fwcmd} add pass tcp from any to ${oip} 25 setup
>> #allow SSH into my box
>> ${fwcmd} add pass tcp from any to ${oip} 22 setup
>> ${fwcmd} add pass tcp from any to ${iip} 22 setup
>> #Allow icmp traffic (tshaw)
>> ${fwcmd} add pass icmp from ${oip} to any
>> ${fwcmd} add pass icmp from any to ${oip}
>> ${fwcmd} add pass icmp from ${inet}:${imask} to any
>> ${fwcmd} add pass icmp from any to ${inet}:${imask}
>> # Allow access to our DNS
>> ${fwcmd} add allow udp from any to <isp DNS> 53 out xmit fxp0
>> ${fwcmd} add allow udp from <isp dns> 53 to any in recv fxp0
>> ${fwcmd} add pass tcp from any to ${oip} 53 setup
>> ${fwcmd} add pass udp from any to ${oip} 53
>> ${fwcmd} add pass udp from ${oip} 53 to any
>> ${fwcmd} add pass udp from any 53 to any
>> ${fwcmd} add pass udp from any to any 53
>> # Allow access to our WWW
>> ${fwcmd} add pass tcp from any to ${oip} 80 setup
>> # Reject&Log all setup of incoming connections from the
>> outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
>> # Allow setup of any other TCP connection
>> ${fwcmd} add pass tcp from any to any setup
>> # Allow DNS queries out in the world
>> ${fwcmd} add pass udp from ${oip} to any 53 keep-state
>> # Allow NTP queries out in the world
>> ${fwcmd} add pass udp from ${oip} to any 123 keep-state
>> # Everything else is denied by default, unless the
>> # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
>> # config file.
>> ;;
>> Thanks to any and all who is following this and helping..
>> On 14 Aug 2002 19:21:52 -0700, wsw...@hotmail.com (wsware) wrote:
>> >How are you testing this? You can not test it internally...
>> >I'm also assuming you have your firewall setup right.. How do you have
>> >it setup right now?
>> >-Scott
>> >Terrelle Shaw <hs...@safeweb.com> wrote in message <news:3D5ADA40.2000202@safeweb.com>...
>> >> Ok.. i did exactly what you described.. Still no go..
>> >> Is there supposed to be some ipfw rules set? i have added some rules to
>> >> allow tcp to my external ip on port 80 on the external interface.. and
>> >> also added a rule for my any dest traffic to leave my internal box from
>> >> port 80...
>> >> What i get from TCPDUMP is that i see the request getting to the
>> >> external public ip and port.. but nothing is getting past that to the
>> >> internal box..
>> >> ineffect.. my firewall is working like a charm.. (too damn good infact)
>> >> :/
>> >> So the magic is still with you guys..
>> >> wsware wrote:
>> >> >>0wn3d# natd -interface fxp0 -redirect_port tcp 192.168.0.2:80 80
>> >> >>natd: Unable to bind divert socket.: Address already in use
>> >> > natd is already running is the reason you get the Address already in
>> >> > use.
>> >> > You need to put the options in /etc/rc.conf natd_flags="-redirect_port
>> >> > tcp 192.168.0.2:80 80" or better yet point it to a config file. As
>> >> > far as I know to change natd setting after boot you have to kill it a
>> >> > restart it.
>> >> > Here is what I use:
>> >> > /etc/rc.conf
>> >> > ------------
>> >> > natd_enable="YES"
>> >> > natd_flags="-f /etc/natd.conf"
>> >> > natd_interface="fxp0"
>> >> > /etc/natd.conf
>> >> > --------------
>> >> > use_sockets yes
>> >> > same_ports yes
>> >> > dynamic yes
>> >> > unregistered_only yes
>> >> > redirect_port tcp 192.168.1.5:9110 9110
>> >> > redirect_port udp 192.168.1.5:9110 9110
>> >> > redirect_port tcp 192.168.1.5:6073 6073
>> >> > redirect_port udp 192.168.1.5:6073 6073
>> >> > redirect_port tcp 192.168.1.5:47624 47624
>> >> > redirect_port udp 192.168.1.5:47624 47624
>> >> > redirect_port tcp 192.168.1.5:2302-2306 2302-2306
>> >> > redirect_port udp 192.168.1.5:2302-2306 2302-2306
>> >> > redirect_port tcp 192.168.1.6:2307-2311 2307-2311
>> >> > redirect_port udp 192.168.1.6:2307-2311 2307-2311
>> >> > If you change the settings in /etc/natd.conf you will have to kill
>> >> > natd and restart it like so:
>> >> > %killall natd
>> >> > %natd -n fxp0 -f /etc/natd.conf
>> >> > -Scott
by