Firewall/Web server difficulties
bbobowski at gmail.com
Mon Feb 13 11:53:43 PST 2006
Norberto Meijome wrote:
>Brian Bobowski wrote:
>>I'm poking at that now, yes. I had difficulty getting it to work with
>>virtual hosts... but I can at least reference it by the private-side IP
>>address and get places.
>assuming you are using Apache, you can use * for Ip address and let it
>be name-based virt host.
Already running thus. DNS seems to be the problem, then. (Which I'll
poke at later assuming hosting alternatives don't work out.)
>>WAN. People have tried pinging and browsing, with no success.
>then I would review the rules...
Relevant rules text(and based on both startup text and behaviour of the
firewall for other tasks, I know the rules file is being parsed)
cmd="ipfw -q add"
pif="rl0" #Interface which opens to the WAN; NAT interface
prif="ed0" #LAN interface, private-side
# More stuff here...
$cmd 400 allow udp from 220.127.116.11 to me 68 in via $pif # DHCP server
$cmd 401 allow tcp from any to me 80 in via $pif # Apache
$cmd 402 allow tcp from any to me 22 in via $pif # SSH
$cmd 403 allow icmp from any to me in via $pif # For testing;
low-traffic, not worried about ping floods at this time
The firewall's DHCP requests are working fine, so #400 is working
properly. Other machines, however, cannot see it.
These firewall rules are essentially a slightly-modified copy of the
first example NAT ruleset in the handbook's IPFW section. The
modifications consist of extending the 'good-tcpo' variable to a few
more ports I want to use, putting more entries for my ISP's DNS servers,
adding DHCP outbound and inbound permission 967 and 68) like the second
example has, and adding port 22 and ICMP in the above set.
That's one problem. The other is DNS. I'm still looking through the
named.conf file and poking at the settings given for a secondary
server... all I really want is a caching server that will first look at
my own /etc/hosts file (where the domain names which refer to this
machine are specified by their private-facing address).
Any assistance, as always, appreciated. Especially with the first
problem. (Off-list as I can't keep up with the volume of list delivery.)
More information about the freebsd-questions