getting to a webserver behind firewall [Archive]

jedaffra

October 9th, 2002, 11:17

Hi,

I looked to see if this one was asked already. If it has, I've overlooked it.

1. I'm running apache on an osx box behind obsd firewall. I can browse the Internet from the osx box via the obsd firewall.
2. I have a domain name with DNS management via ZoneEdit (currently pointing to IP of obsd firewall)

What I would like to have happen is this:

1. Person types in www.mydomain-name.com
2. Request is sent from client to obsd firewall which promptly passes request for web page into apache on osx box behind obsd firewall.

Questions:

What files have to be configured (and what commands are required for these files) on obsd firewall to make this happen.

:D Thanks for your responses,

bsdjunkie

October 9th, 2002, 11:54

http://www.openbsd.org/faq/faq6.html#NAT

check out the redirecting ports sections... THis is easily done with openbsds pf and nat =)

elmore

October 9th, 2002, 11:57

What you need is a redirect. Redirects are easy. Here's how I do it.

Open up /etc/nat.conf
add a line like the following:

[code:1:3e81d545f5]
rdr on xl0 proto tcp from any to xxx.xxx.xxx.xxx/32 port 80 -> yyy.yyy.yyy.yyy/32 port 80
[/code:1:3e81d545f5]

Where xxx is your public IP and yyy is the internal IP of the box you're redirecting to

You'll also need modify your /etc/pf.conf and add aline like the following:

[code:1:3e81d545f5]
pass in quick on $ExtIF proto tcp from any to yyy.yyy.yyy.yyy/32 port = 80
[/code:1:3e81d545f5]

where yyy is your internal IP address.

You'll also need to install stunnel,. if your firewall doesn't have a compiler or the ports collection (and they shouldn't) you can grab the precompiled binary from ftp.openbsd.org

jedaffra

October 9th, 2002, 12:43

:) Thanks guys,

All I did was the following:

Open up /etc/nat.conf
add a line like the following:

[code:1:0fd6da8b3a]
rdr on xl0 proto tcp from any to xxx.xxx.xxx.xxx/32 port 80 -> yyy.yyy.yyy.yyy/32 port 80
[/code:1:0fd6da8b3a]

Where xxx is your public IP and yyy is the internal IP of the box you're redirecting to

That was it. I didnt include the line for pf.conf
I just pfctl -N /etc/nat.conf then surfed to my domain name and voila - I was served.

Is it possible there will be security implications for not including the pf.conf lines you suggested?

elmore

October 9th, 2002, 12:47

it depends on your ruleset, if you were running a default deny then you would certainly have some problems accessing your your page, sounds like yopu have a open ruleset though.

elmore

October 9th, 2002, 14:13

I split your post and moved it into the OpenBSD security section Jedaffra. :D