Gabriele: A) Did you test the redirection on simplier rules like rdr proto tcp from any to $wwwserver_ext port 80 -> $wwwserver_int port 80 if works, then test your rules
B) Re-check if $wwwserver_int has your BSD Firewall as his Default GW C) Debug with tcpdump the packets run a tcpdump port 80 in both fw interfaces and find where is the problem D) If you can, move to Apache on BSD ;) Hope it helps... Good Luck On Mon, 2004-05-03 at 07:48, Gabriele Oleotti wrote: > Hello everybody, > I have the following problems (it's about 5 days I'm working on it) and I'm not able > to solve. I have a web server on a Win2k + IIS on my internal network that is > working fine, and I want it to be accessible from the internet through my OpenBSD > box (which has a public IP.) > > The problem is that I'm not able to access it. Accessing from the openbsd box to the > internal server is ok (lynx http://my.internal.web.srv ) but when I try connecting > from the outside world, it results in a 'Page cannot be displayed' from IE). Does > anybody know why? Or can point me to the right direction? > > Thank you, > Gabriele > > Here is my pf.conf: > > int_if = "fxp0" > ext_if = "fxp1" > > ext_addr = "nnn.nnn.nnn.nnn" > int_addr = "my.internal.net" > > icmp_types = "echoreq" > > tcp_services = "{ 23 }" # "{ 23, 80 }" > > RDR = "rdr pass on" $ext_if "proto tcp from any to" $ext_addr "port" > RDR_UDP = "rdr pass on" $ext_if "proto udp from any to" $ext_addr "port" > > # SSH > openssh_port = "22" > openssh_int_addr = "my.internal.srv" > > # Terminal Server > ts_port = "3389" > ts_int_addr = "my.terminal.srv" > > # WEB > web_port = "80" > web_ssl_port = "443" > web_int_addr = "my.web.srv" > > # VPN > # --> PPTP > gre = "47" # GRE = IP protocol 47 > pptp_port = "1723" > > # --> L2TP/IPSec with NAT-T > esp = "50" # IPSEC-ESP = IP protocol 50 > ah = "51" # IPSEC-AH = IP protocol 51 > l2tp_port = "1701" > isakmp_port = "500" > natt_port = "4500" > > # --> VPN Server > vpn_int_addr = "my.vpn.srv" > > priv_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }" > > # Set default response for block filter rules > set block-policy return > > # Turn on log on the external interface > set loginterface $ext_if > > # Scrub all incoming traffic > scrub in all > > # NAT all internal network > nat on $ext_if from $int_if:network to any -> $ext_if > > # Use ftp-proxy for internal FTP clients to connect to Internet FTP servers > rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 > > # Redirect OpenSSH traffic to internal server > $RDR $openssh_port -> $openssh_int_addr port $openssh_port > > # Redirect Terminal Server traffic to internal server > $RDR $ts_port -> $ts_int_addr port $ts_port > > # Redirect Web traffic > $RDR $web_port -> $web_int_addr port $web_port > $RDR $web_ssl_port -> $web_int_addr port $web_ssl_port > > # Redirect PPTP traffic to internal server > $RDR $pptp_port -> $vpn_int_addr port $pptp_port > rdr pass on $ext_if proto $gre from any to $ext_addr -> $vpn_int_addr > > # Redirect L2TP traffic to internal server > #$RDR_UDP $l2tp_port -> $vpn_int_addr port $l2tp_port > $RDR_UDP $isakmp_port -> $vpn_int_addr port $isakmp_port > $RDR_UDP $natt_port -> $vpn_int_addr port $natt_port > #rdr pass on $ext_if proto $esp from any to $ext_addr -> $vpn_int_addr > #rdr pass on $ext_if proto $ah from any to $ext_addr -> $vpn_int_addr > > # ==> DEFAULT DENY > block all > > # pass all traffic on the loopback interface > pass quick on lo0 all > > # block all traffic coming from/to private networks on the external interface > block drop in quick on $ext_if from $priv_nets to any > block drop out quick on $ext_if from any to $priv_nets > > # open port for incoming allowed TCP traffic on the external interface > pass in on $ext_if inet proto tcp from any to \ > $ext_if port $tcp_services flags S/SA keep state > > # open allowed ICMP traffic > pass in inet proto icmp all icmp-type $icmp_types keep state > > # permit all traffic trhough the internal interface > pass in on $int_if from $int_if:network to any keep state > pass out on $int_if from any to $int_if:network keep state > > # permit all outgoing traffic to the Internet > pass out on $ext_if proto tcp all modulate state flags S/SA > pass out on $ext_if proto { udp, icmp } all keep state > > # permit incoming connections to ftp-proxy > pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state -- G [EMAIL PROTECTED] I - T Juan Pablo Feria Gomez. h / Network Administrator/Transportes Pitic S.A. de C.V. + M + Ud?s+:+a-C++ULBP+L++$E---W++N--o--wM-PS+PE++Yt---X--R--tv--D+G e You know you've spent too much time on the computer when you spill milk and the first thing you think is, 'edit, undo.'
