Webserver behind nat/ipfw

Greg Barniskis nalists at scls.lib.wi.us
Fri Mar 3 05:47:06 PST 2006 

freebsd-questions wrote:
> Hello all,
> 
> I have been struggling for the last months now to run a webserver behind 
> a firewall.
> I have installed apache 2 on a Opendarwin G4 machine hebind a FreeBSD 6 
> firewall/nat box:
> 
> internet  ]-----[ outside IP ] modem [ 192.168.1.1 ]-----[ nge0: 
> 192.168.1.40 ] FreeBSD 6.0 : natd, ipfw [ fxp0: 10.31.21.1 ]-----[ en0: 
> 10.31.21.2 ] OpenDarwin webserver
> 
> When I run apache from the firewall people can connect.
> Tcpdump on en0, fxp0 both show the right incoming and outgoing traffic 
> on the webserver as expected.
> It also shows that incoming traffic on the firewall on port 80 is 
> succesfully translated to to the firewall's IP.
> I can access the website from the LAN (from the firewall itself and 
> going through the firewall via not shown nge1 10.31.20.1)

Does tcpdump show the web server returning packets to the firewall? 
That is, are you barking at ipfw/natd when the problem is the web 
server's idea of proper routing for addresses outside the firewall?

If the web server gets requests from the firewall and also returns 
them properly, add verbose logging to every ipfw rule so you can see 
exactly where they get clobbered.


> I am clearly missing something here in the way the respond from the 
> webserver should be sent back to the internet requests.
> If I only knew what...
> 
> I have tried adding lines like:
> ipfw 3 add divert 8668 all from any to any 80

I don't think that is what you want.

> I even tried running a second natd and diverting all traffic on port 80 
> through it without any result.

Nor that.

> I am out of ideas now...
> Goole-ing for a month lead me to instructions how to run ipfw OR natd, i 
> couldn't find one that combinse the two.

man natd
more /etc/rc.firewall

(the stock rc.firewall, not one you've heavily experimented on)

It should be pretty simple to make them work together. Perhaps 
you're trying to make it more complicated than it is?

Simply divert to natd at an appropriate place in your ipfw rule set. 
Note how the example rules in the stock rc.firewall do RFC 1918 
spoof checks before and after the divert, then get into what kinds 
of non-spoofed connections are permitted or denied.

> Can anyone help me setup nat and ipfw so that the webserver is able to 
> respond to incoming http requests?
> 
> Many thanks in advance,
> 
> Arno
> 
> 
> HARDWARE:
> internet  ]-----[ outside IP ] modem [ 192.168.1.1 ]-----[ nge0: 
> 192.168.1.40 ] FreeBSD 6.0 : natd, ipfw [ fxp0: 10.31.21.1 ]-----[ en0: 
> 10.31.21.2 ] OpenDarwin webserver
> 
> GREP NAT /ETC/RC.CONF:
> natd_program="/sbin/natd"       # path to natd, if you want a different 
> one.
> natd_enable="YES"               # Enable natd (if firewall_enable == YES).
> natd_interface="nge0"           # Public interface or IPaddress to use.
> natd_flags="-f /etc/natd.conf"  # Additional flags for natd.
> 
> 
> /ETC/NATD.CONF:
> unregistered_only yes
> use_sockets yes
> same_ports yes
> dynamic yes
> 
> ### Forward all incoming http access to Webserver
> redirect_port tcp 10.31.21.2:80        80
> redirect_port tcp 192.168.1.40:80 10.31.21.2:80

My working gateway's natd.conf uses only one redirect:

redirect_port     real.web.server.IP:80    80

Is the second redirect above part of your problem? Seems odd.

Sorry, I haven't time to offer any specific advice on your ipfw 
rules except to suggest that liberal use of logging can help you 
isolate any bad assumptions really quickly, especially if you are 
able to test in a controlled lab environment so there isn't a lot of 
noise.




-- 
Greg Barniskis, Computer Systems Integrator
South Central Library System (SCLS)
Library Interchange Network (LINK)
<gregb at scls.lib.wi.us>, (608) 266-6348

More information about the freebsd-questions mailing list