Firewall/Web server difficulties

Brian Bobowski bbobowski at
Mon Feb 13 11:53:43 PST 2006

Norberto Meijome wrote:

>Brian Bobowski wrote:
>>I'm poking at that now, yes. I had difficulty getting it to work with
>>virtual hosts... but I can at least reference it by the private-side IP
>>address and get places.
>assuming you are using Apache, you can use * for Ip address and let it
>be name-based virt host.
Already running thus. DNS seems to be the problem, then. (Which I'll 
poke at later assuming hosting alternatives don't work out.)

>>WAN. People have tried pinging and browsing, with no success.
>then I would review the rules...
Relevant rules text(and based on both startup text and behaviour of the 
firewall for other tasks, I know the rules file is being parsed) 
excerpted below:

cmd="ipfw -q add"
pif="rl0" #Interface which opens to the WAN; NAT interface
prif="ed0" #LAN interface, private-side

# More stuff here...

$cmd 400 allow udp from to me 68 in via $pif # DHCP server
$cmd 401 allow tcp from any to me 80 in via $pif # Apache
$cmd 402 allow tcp from any to me 22 in via $pif # SSH
$cmd 403 allow icmp from any to me in via $pif # For testing; 
low-traffic, not worried about ping floods at this time

The firewall's DHCP requests are working fine, so #400 is working 
properly. Other machines, however, cannot see it.

These firewall rules are essentially a slightly-modified copy of the 
first example NAT ruleset in the handbook's IPFW section. The 
modifications consist of extending the 'good-tcpo' variable to a few 
more ports I want to use, putting more entries for my ISP's DNS servers, 
adding DHCP outbound and inbound permission 967 and 68) like the second 
example has, and adding port 22 and ICMP in the above set.

That's one problem. The other is DNS. I'm still looking through the 
named.conf file and poking at the settings given for a secondary 
server... all I really want is a caching server that will first look at 
my own /etc/hosts file (where the domain names which refer to this 
machine are specified by their private-facing address).

Any assistance, as always, appreciated. Especially with the first 
problem. (Off-list as I can't keep up with the volume of list delivery.)


More information about the freebsd-questions mailing list