Firewall/Web server difficulties

Norberto Meijome freebsd at
Sun Feb 19 15:25:14 PST 2006

Brian Bobowski wrote:
> Norberto Meijome wrote:
>> Brian Bobowski wrote:
>>> I'm poking at that now, yes. I had difficulty getting it to work with
>>> virtual hosts... but I can at least reference it by the private-side IP
>>> address and get places.
>> assuming you are using Apache, you can use * for Ip address and let it
>> be name-based virt host.
> Already running thus. DNS seems to be the problem, then. (Which I'll
> poke at later assuming hosting alternatives don't work out.)
(sorry for the delay in replying)
One thing you want to make sure you have off is the reverse dns lookup
setting in your httpd.conf - it's rather useless and it will add a
dependency on DNS to your web services.

>>> WAN. People have tried pinging and browsing, with no success.
>> then I would review the rules...
> Relevant rules text(and based on both startup text and behaviour of
> the firewall for other tasks, I know the rules file is being parsed)
> excerpted below:
for proper diagnosing, it'd be better to have the whole thing :)
hopefully it's already fixed...
> cmd="ipfw -q add"
> pif="rl0" #Interface which opens to the WAN; NAT interface

Is your NAT properly configured?
> prif="ed0" #LAN interface, private-side
> ks="keep-state"
> # More stuff here...
> $cmd 400 allow udp from to me 68 in via $pif # DHCP server
> $cmd 401 allow tcp from any to me 80 in via $pif # Apache
> $cmd 402 allow tcp from any to me 22 in via $pif # SSH
> $cmd 403 allow icmp from any to me in via $pif # For testing;
> low-traffic, not worried about ping floods at this time
> ---
> The firewall's DHCP requests are working fine, so #400 is working
> properly.
> Other machines, however, cannot see it.
what do you mean by this? the fact that #400 is working doesnt mean that
#401 will :) (there's nothing particularly wrong with #401..just saying
you are making the wrong assumption)
> That's one problem. The other is DNS. I'm still looking through the
> named.conf file and poking at the settings given for a secondary
> server... all I really want is a caching server that will first look
> at my own /etc/hosts file (where the domain names which refer to this
> machine are specified by their private-facing address).
hmm .. why would named.conf look into /etc/hosts ?
If this is your main DNS server for your zone, then make sure that it's
properly delegated, that all the relevant hosts are defined IN YOUR BIND
config , (well, /etc/hosts can't hurt, but you are just adding extra
variables that can muddle things up).

There's lots of good docs on BIND out there. If you want a rather easy
UI, why not install webmin from the ports?

good luck,

More information about the freebsd-questions mailing list