Re: Apache 1.3 Problems

On Wed, 17 Sep 2008, Ian Smith wrote:

On Tue, 16 Sep 2008 17:48:48 +1000 (EST) mark@xxxxxxxxxx wrote:
> > On Tue, 16 Sep 2008 mark@xxxxxxxxxx wrote:

From a digest post, trimming a bit ..

> >>> After 3 years, by apache 1.3 server quite working. It shows a
> >>> PID, it's running, it can be stopped and restarted, and from FreeBSD
> >>> the home page comes up using lynx http://andrsn.stanford.edu
> >>>
> >>> But from outside, it times out.
> >>>
> >>> I have run the texts for valid configuration (I haven't changed
> >>> anything) and I actually rebooted the machine. The texts are okay and
> >>> rebooting doesn't help.
> >>>
> >>> The machine is pingable. It's running FreeBSD 5.5 or so.
> >>>
> >>> What to do next?
> >>>
> >>> Annelise
> >>> _______________________________________________
> >>
> >> Hmm..
> >> Can it connect to the outside world at all itself? Has the network
> >> changed
> >> at all recently? Did the server restart at all and if so are the
> >> firewall
> >> rules (if any) permitting external traffic?
> >>
> >> You could check the apache logs to see if any external connections are
> >> getting through to the box at all, too.
> >>
> >> Is the lynx test connecting from the same box to itself? or from another
> >> FreeBSD box..?
> >
> >>From the same box to itself.

What about from other boxes 'inside' your domain?

> >> --
> >> Also, what Chris said would cover most of these. :)
> >>
> >> Cheers,
> >> Mark
> >
> > Chris wrote:
> >
> >>Sounds like a (probebly external) firewall issue. Just because pings get
> >>through, doesn't mean the http requests are.
> >
> > No firewall on my machine.

No, but there are (hopefully :) Stanford firewall/s between you and the
outside world. Might they have upgraded policy about allowing inbound
port 80 connections to boxes not known/expected to be running servers?

> >>I'd run ngrep or tcpdump on the console and double-check that the packets
> >>are actually making it to the server.
> >
> >>Also, do a "sockstat -4" and make sure it's listening on the approprate
> >>IP.
> >
> > Thank you both--
> >
> > sockstat -4 show that it's listening on *:80, which is right.
> > Neither tcpdump (assuming I'm reading it correcting) nor httpd-access.log
> > shows any tcp packets at all getting through except when lynx is run
> > from the machine on which apache is running after Sept 12 at 2:12 a.m.
> > Thus, I assume packets are not getting to the server, except when
> > requested from the local machine.

Sounds like your machine is setup ok, but inbound tcp setup packets are
apparently getting blocked upstream.

> > email and ftp are working--and I can log into the machine remotely--
> > so stuff is getting out and in. tcpdump shows a lot of other activity,

Specific like 'tcpdump -pn -i $iface tcp port 80' quells other noise.

> > So, I'm stumped.
> >
> > Annelise

Ok, ping and DNS look fine. I (also) can traceroute your box this far:

14 bbrb-isp.Stanford.EDU (171.64.1.155) 193.489 ms 193.562 ms 195.603 ms
15 * * *
16 * * *
17 * * *
18 * *^C

I don't know whether you allow inbound traceroutes? but the question
now is, how many routers between you and and bbrb-isp.Stanford.EDU ?

Can you show us a 'traceroute bbrb-isp.Stanford.EDU' from your machine?

> This might sound like an odd test, but try configuring it to sit on a port
> other than 80 (8080, for example) and seeing if you get the same problem
> there.
>
> Cheers,
> Mark

If you're thinking what I'm thinking, 8080's just as unlikely to work :)

cheers, Ian

I think port 80 is being filtered. I have started talking to the admins.
The traceroute looks like this--

andrsn 2:23PM ~ % traceroute bbrb-isp.Stanford.EDU
traceroute to bbrb-isp.Stanford.EDU (171.64.1.155), 64 hops max, 40 byte packets
1 goz-srtr-vlan910.Stanford.EDU (171.66.112.1) 0.610 ms 0.571 ms 0.711 ms
2 * bbra-rtr.Stanford.EDU (172.20.4.1) 1.093 ms *
3 * * *
4 * * *
....and so forth indefinitely.

When I filter out non-tcp traffic nothing shows up at all.

I have not tried another port yet, but will do that now.

Annelise
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • PPPOE xDSL Firewall with IPTABLES
    ... don't know how to modify my firewall to account for this. ... Starts and stops the IPTABLES packet filter \ ... # Kill malformed XMAS packets ... # server/client to server query or response ...
    (comp.os.linux.networking)
  • Re: Strange web site loading/DNS problem
    ... If the site sends out packets of 1500 bytes, and there is a router between ... When I can't get to the site, I get the typical traceroute: ... I have also changed the DNS server info in my router, ...
    (microsoft.public.windows.server.dns)
  • Re: tracert from A to B dies just before reaching B -- and vice versa?
    ... traceroute died just before reaching 67.43.158.218. ... the default is to use UDP packets. ... come as a surprise to you, but neither ICMP or UDP is used for SSH ... Dozens of explanations - most probably is the fact that firewall rules ...
    (comp.os.linux.networking)
  • RE: Firewall Rule Set not allowing access to DNS servers?
    ... I changed the DNS rules as you suggested, and the firewall works perfectly - ... > # Allow out access to my ISP's Domain name server. ... > so your udp packets never match this rule and default to ...
    (freebsd-questions)
  • Re: Cant ping
    ... You mention that the server is seeing the packets, ... have you tried making sure the XP firewall is ... is on the same network as the XP machine. ...
    (microsoft.public.windows.server.sbs)