Divert port 80 to internal server

Chris Hill chris at monochrome.org
Sun Nov 2 17:20:51 PST 2003 

I'm trying to set up an internal machine to serve all my web sites. I
have one routable IP and a slew of inside machines on 192.168.1.*, one
of which is to be the web server.

My gateway machine (running the ipfw in question) is an ancient FreeBSD
running ipfw and natd:

# uname -a
FreeBSD mail.monochrome.org 3.3-RELEASE FreeBSD 3.3-RELEASE #0: (etc...)

I'm trying to set up a rule under ipfw which will send all requests for
port 80 to the internal machine. The web server's name is faro and its
internal IP is defined in /etc/hosts all over my LAN. I've tried a bunch
of different ipfw commands in /etc/rc.firewall, such as

    $fwcmd add divert 80 tcp from any to faro 80 setup
    $fwcmd add fwd ${oip} 80 tcp from any to faro 80 setup
    $fwcmd add allow tcp from any to faro 80 setup

(not all at once, of course). In all cases, 'ipfw show' gives the
expected result with the correct IP shown in the rule as defined in
/etc/rc.firewall. I'm pretty sure the basic setup (other than this
issue) is OK, since it's been running fine for years. Right now, the
rule set is

# ipfw show
00100 5884 2573012 divert 8668 ip from any to any via ed1
00100  302   36118 allow ip from any to any via lo0
00200    0       0 deny ip from 192.168.1.0/24 to any in recv ed1
00300    0       0 deny ip from 209.190.235.128/25 to any in recv xl0
00400    0       0 deny ip from 172.16.0.0/12 to any via ed1
00500    0       0 deny ip from any to 172.16.0.0/12 via ed1
00600    0       0 deny ip from 10.0.0.0/8 to any via ed1
00700    0       0 deny ip from any to 10.0.0.0/8 via ed1
00800 9008 4903771 allow tcp from any to any established
00900    4     240 allow tcp from any to 209.190.235.180 25 setup
01000    0       0 allow tcp from any to 209.190.235.180 53 setup
01100    0       0 allow tcp from any 53 to any 53
01200    0       0 allow udp from any 53 to any 53
01300    0       0 allow tcp from any 53 to any 1023-65535
01400  427   81559 allow udp from any 53 to any 1023-65535
01500   18     792 allow tcp from any 1023-65535 to any 53
01600  432   27458 allow udp from any 1023-65535 to any 53
01700   16     768 allow tcp from any to any 22 setup
01800    4     240 allow tcp from any to any 113 via xl0 setup
01900    0       0 allow tcp from any 20 to any 1023-65535
02000    0       0 allow tcp from any 1023-65535 to any 21
02100    0       0 allow tcp from any to 192.168.1.1 110 setup
02200    0       0 allow tcp from any to 209.190.235.180 110 setup
02300   81    3916 deny tcp from any to any in recv ed1 setup
02400    0       0 allow tcp from any to 192.168.1.7 80 setup
02500  240   11536 allow tcp from any to any setup
02600   94    8072 allow icmp from any to any
02700    0       0 allow udp from any 53 to 209.190.235.180
02800    0       0 allow udp from 209.190.235.180 to any 53
02900  235   17860 allow udp from any 123 to 209.190.235.180
03000  310   23560 allow udp from 209.190.235.180 to any 123
03100  700   66275 allow ip from 192.168.1.0/24 to any
03200   36    2736 allow ip from any to 192.168.1.0/24
03300  293   31058 deny ip from any to any
65535  137   10852 allow ip from any to any
#

Rule 2400 is the one giving me grief at the moment. Bottom line, none of
this seems to work; any by-name http connection is refused, but
connections from inside by IP address get me the server's default page
just fine, so I know httpd is running on the web server machine.

I have searched google, alltheweb, and the -questions@ archive, as well
as 'man ipfw' and 'man divert', but have not found anything that I can
both understand and use.

Any idea of a useable ipfw rule that will work for this application?

Thanks in advance.

--
Chris Hill               chris at monochrome.org
**                     [ Busy Expunging <|> ]

More information about the freebsd-questions mailing list