Re: FreeBSD 6.1 and 6.2 i386 firewall or NAT block web mail applications
- From: "fulan Peng" <fulanpeng@xxxxxxxxx>
- Date: Tue, 28 Nov 2006 18:51:27 -0500
Yes. You may be right. But I fixed it the other way. I did not
understand it. I just changed
${fwcmd} add fwd 127.0.0.1,8843 tcp from any to any 443 in keep-state
to
${fwcmd} add fwd 127.0.0.1,8843 tcp from any to any 443 in via tun0 keep-state
Now everything is working. I am using pppoe. tun0 is another interface
dealing with ppp. In local network, we have to use https://ip:8843,
but from outsided, poeple can use https://ip to get my web server with
SSL.
By the way, I used FIREWALL_DEFAULT_TO_ACCEPT and recompile the kernel.
Tell you another trick: the GENERIC kernel is working for pppoe. But
when you recompile with firewall, it won't work for pppoe any more.
You have to add options NETGRAPH, options NETGRAPH_PPPOE and
NETGRAPH_SOCKET.
Besides, you cannot delete device keyboard. If you delete device
keyboard, you won't type anything when it prompt login:
On 11/28/06, Julian Elischer <julian@xxxxxxxxxxxx> wrote:
fulan Peng wrote:_______________________________________________
> Hi,
> I need some help with FreeBSD firewall with NAT. I have made pppoe and
> NAT working with both 6.1 release and 6.2 RC i386. All I want is to
> forward port 443 to port 8843. I added a line in the OPEN portion in
> the rc.firewall file:
> ${fwcmd} add fwd 127.0.0.1,8843 tcp from any to any 443 in keep-state
how about:
${fwcmd} add fwd 127.0.0.1,8843 tcp from any to me 443 in keep-state
(or specify the actual address you want to forward)
> Now, when I type https://myserver's ip, it will forward to a proxy
> server listening at 8843. This is good. But, in the local network,
> nobody can access the yahoo and google mail.
> I made another kernel with the options IPFIREWALL_DEFAULT_TO_ACCEPT.
> When I ipfw, there is only one rule:
> allow ip from any to any
> This is good.
> When I added a line
> ipfw add fwd 127.0.0.1,8843 from any to any 443 in keep-state
> again, it won't work with any web email applications.
> I added a line like this
> ${fwcmd} add pass tcp from any to any 25 setup
> Still it won't work.
> pen at both 6.1 and 6.2 are not working. I remember it works only with
> 7.0-current.
> I have only 3 options when I compile the kernel:
> options IPFIREWALL
> options IPFIREWALL_FORWARD
> options IPDIVERT
>
> in order to get pppoe to work, I added
> options NETGRAPH
> options NETGRAPH_PPPOE
> options NETGRAPH_SOCKET
>
> my rc.conf is like this
> gateway_enable="YES"
> hostname=...
> ifconfig_ed0=...
> ppp_enable="YES"
> ppp_nat="YES"
> ppp_profile="sympatico"
> ppp_mode="ddial"
> firewall_enable="YES"
> firewall_type="OPEN"
>
> By the way, I have made this mistake twice:
> Comment out firewall_enable and firewall_type, the default rule is to
> lock out any body. I could not access my remote server. I wish you
> would not do this like me.
> The best way is to have an options IPFIREWALL_DEFAULT_TO_ACCEPT. The
> problem is : whenever you add some rule, it will block web mails!
> _______________________________________________
> freebsd-current@xxxxxxxxxxx mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@xxxxxxxxxxx"
freebsd-current@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@xxxxxxxxxxx"
- References:
- FreeBSD 6.1 and 6.2 i386 firewall or NAT block web mail applications
- From: fulan Peng
- Re: FreeBSD 6.1 and 6.2 i386 firewall or NAT block web mail applications
- From: Julian Elischer
- FreeBSD 6.1 and 6.2 i386 firewall or NAT block web mail applications
- Prev by Date: Promoting FreeBSD
- Next by Date: Re: Call for Marvell/SysKonnect Yukon II Gigabit Ethernet testers.
- Previous by thread: Re: FreeBSD 6.1 and 6.2 i386 firewall or NAT block web mail applications
- Next by thread: Call for e1000phy(4) testers.
- Index(es):
Relevant Pages
|
|
