View Single Post
  #1   (View Single Post)  
Old 10th November 2010
thefronny thefronny is offline
Port Guard
 
Join Date: Oct 2008
Posts: 37
Default I can see jailed apache but the world cannot

I have an openbsd/pf firewall between my dsl router and the internal lan. I'm new to pf but I figured everything out except world access to a jailed apache server. The layout is pretty much this (I have deleted my attempt to serve the webserver since it wasn't working. Deleting it had no affect.):

Quote:
(123.456.789.101) static address
dsl router
(10.0.0.1)
|
(10.0.0.2)
firewall
(192.168.1.1)
|
(192.168.1.2)
server ---->jailed apache(192.168.1.13)
I can ping and ssh into the jail fine, just like it was a different box, and I can jexec into it when I'm on the host box. The router forwards ssh login requests to the firewall, and that works, and http requests to the jail IP address; that doesn't work. Everything else is refused. All the machines in the internal network can get pages served from the jailed apache, and also pages from an apache process running on the jail's host, but the internet cannot get the jailed pages. What rule do I need? Everything else is OK. My pf.conf is below. It is by and large trial-and-error and cut-and-paste:

Code:
## Macros

ext_if="fxp0"
int_if="xl0"
internal_net="192.168.1.0/24"

##================================
## Tables

table <brutes> persist file "/var/db/brutes"

##================================
## Options

# Set the default policy to return RSTs or ICMPs for blocked traffic.
set block-policy return

# Optimize parsing algorithms
set optimization normal

# Ignore the loopback interface entirely.
set skip on lo0

# Check for address spoofing
antispoof for fxp0 inet

##================================
## Normalize

match log on $ext_if all scrub (random-id min-ttl 254 set-tos lowdelay reassemble t
cp max-mss 1460)

##================================
## Translation

match out on egress from $int_if:network to any nat-to (egress)

##================================##
Filtering

# Default deny rule, with all blocked packets logged.
block log all

# Drop the infected IP addys without further ruleset parsing,
block in quick log on $ext_if from <brutes> to any

# Add persistent ssh login attempts to the brutes table (10 per source IP, 2 attemp
ts in 5 sec. max.)
pass in on $ext_if proto tcp to port ssh flags S/SA keep state (max-src-conn 10, ma
x-src-conn-rate 2/5, overload <brutes> flush)

# Outgoing POP3 to receive mail
pass out on $ext_if proto tcp from $internal_net to any port = 110 keep state

# Outgoing SMTP to send mail
pass out on $ext_if proto tcp from $internal_net to any port = 25 keep state

# Pass all traffic to and from the local network
pass quick on $int_if all

# Permit all traffic going out
pass out keep state


##================================
Thanks for any pointers.

tf
Reply With Quote