Re: WWW to go public, if pf would let me
On 6/9/07, Marti Martinez [EMAIL PROTECTED] wrote: On 6/9/07, Bray Mailloux [EMAIL PROTECTED] wrote: So, I'm trying to get my WWW server, public: 64.142.102.11; private: 192.168.1.4, to answer requests from the internet. Each time I try to access the public address, via firefox, the browser claims it does not exist. Try some more basic network layer stuff -- can you ping it? telnet to port 80? if yes on the latter, you're good. Also, apply a little thought-powder and do some troubleshooting, or explain to us what you've done -- can you get the pages locally? How about with PF turned off? More info will help! Yes, more troubleshooting on Bray's part would help. He needs to build some basic routines when he encounters troubles like these. Basically if I don't have a good idea where the problem might lay I start from the bottom and work up. For me a simple routine in this case would be to rule out network configs, rule out PF, rule out DNS issues, and rule out httpd issues with some intermediary steps between those. Greg -- http://ticketmastersucks.org/tracker.html Dethink to survive - Mclusky
Re: WWW to go public, if pf would let me
On Jun 9, 2007, at 9:28 PM, Darren Spruell wrote: So, not sure about the connections failing. As for your aliases, check hostname.if(5) and you'll see that IPv4 interface aliases typically have full /32 subnet masks. Is this true? All of my interfaces with aliases have the same netmask as the actual netmask. Using /32 as the netmask has not worked for me. However, on FreeBSD for example, you need to use /32 or it will not work. At least this is true on a legacy FreeBSD 5.5 machine I will soon be rid of. Bryan
Re: WWW to go public, if pf would let me
On Jun 9, 2007, at 9:28 PM, Darren Spruell wrote: So, not sure about the connections failing. As for your aliases, check hostname.if(5) and you'll see that IPv4 interface aliases typically have full /32 subnet masks. Sorry! I spoke too soon. I find that it works either with the /32 or the actual netmask. According to hostname.if(5) it is not clear except that the example given shows /32 as the netmask for aliases. Are there any problems with using the actual netmask? Bryan
Re: WWW to go public, if pf would let me
On 6/9/07, Bryan Vyhmeister [EMAIL PROTECTED] wrote: On Jun 9, 2007, at 9:28 PM, Darren Spruell wrote: So, not sure about the connections failing. As for your aliases, check hostname.if(5) and you'll see that IPv4 interface aliases typically have full /32 subnet masks. Sorry! I spoke too soon. I find that it works either with the /32 or the actual netmask. According to hostname.if(5) it is not clear except that the example given shows /32 as the netmask for aliases. Are there any problems with using the actual netmask? Nowadays, I don't know. It used to be back in the days of /etc/ifaliases that you'd have problems getting the alias in the routing table correctly unless you gave the alias a full 255.255.255.255 netmask. Nowadays I don't know if it really matters, but I stick with it because that what all the references say. e.g.: http://marc.info/?l=openbsd-miscm=95202862819912w=2 DS
WWW to go public, if pf would let me
Hello Everyone;
# ifconfig -A
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:50:bf:3a:2e:66
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1
inet 64.142.102.8 netmask 0xff00 broadcast 64.142.102.255
inet 64.142.102.9 netmask 0xff00 broadcast 64.142.102.255
inet 64.142.102.10 netmask 0xff00 broadcast 64.142.102.255
inet 64.142.102.11 netmask 0xff00 broadcast 64.142.102.255
rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:13:46:30:0b:b2
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::213:46ff:fe30:bb2%rl1 prefixlen 64 scopeid 0x2
inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:19:5b:3d:12:12
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::219:5bff:fe3d:1212%vr0 prefixlen 64 scopeid 0x3
inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#Macros
# 192.168.0.1 subnet
ext_ip=64.142.102.8
int_ip=192.168.0.1
int_block=192.168.0.0/24
#DMZ subnet
#Interface
dmz_ip=192.168.1.1
dmz_block=192.168.1.0/24
#DNS 1
scarlett=192.168.1.2
pub_scarlett=64.142.102.9
#DNS 2
shelly=192.168.1.3
pub_shelly=64.142.102.10
#WWW 1
www_ip=192.168.1.4
pub_www=64.142.102.11
#DMZ Services
services={ domain, www, smtp, }
#Normalizing
scrub in all
#NAT and Binat
nat on rl0 from $int_block to any - $ext_ip
binat on rl0 from $scarlett to any - $pub_scarlett
binat on rl0 from $shelly to any - $pub_shelly
binat on rl0 from $www_ip to any - $pub_www
#Redirection
rdr on rl1 proto tcp from any to 64.142.102.11 port 80 - $www_ip port 8000
rdr on rl1 proto udp from any to any port domain - $shelly
rdr on rl1 proto udp from any to any port domain - $scarlett
#Default block policy
block all
#Anti-spoofing
block in quick from urpf-failed
#vr0 traffic
pass in on vr0 proto tcp from $int_block to any port 6112
pass in on vr0 proto tcp from $int_block to any port 80
pass in on vr0 proto tcp from $int_block to 207.212.58.16 port 25
pass in on vr0 proto { udp, icmp } from $int_block to any
#rl1 traffic
pass in log on rl1 proto tcp from $dmz_block to $www_ip port 80
pass in log on rl1 proto udp from $dmz_block to $shelly port domain
pass in log on rl1 proto udp from $dmz_block to $scarlett port domain
pass out on rl1 proto tcp from $www_ip to any port 80
pass out on rl1 proto udp from $shelly to any port domain
pass out on rl1 proto udp from $scarlett to any port domain
#rl0 traffic
pass in on rl0 inet proto { tcp, udp } all modulate state
pass out on rl0 proto { tcp, udp, icmp } all modulate state
pass in log on rl0 proto tcp from any to $www_ip port 80
pass in log on rl0 proto udp from any to $shelly port domain
pass in log on rl0 proto udp from any to $scarlett port domain
#dmesg
OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (GenuineIntel 686-class) 931 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem = 401108992 (391708K)
avail mem = 357941248 (349552K)
using 4278 buffers containing 20180992 bytes (19708K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 10/14/00, BIOS32 rev. 0 @ 0xfd8a0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd8a0/0x760
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf50/144 (7 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xa000
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82810E rev 0x03: rng active, 7Kb/sec
vga1 at pci0 dev 1 function 0 Intel 82810E Graphics rev 0x03: aperture
at 0xf800, size 0x400
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 Intel 82801AA Hub-to-PCI rev 0x02
pci1 at ppb0 bus 1
rl0 at pci1 dev 11 function 0 Realtek 8139 rev 0x10: irq 5, address
00:50:bf:3a:2e:66
rlphy0 at rl0 phy 0: RTL internal PHY
rl1 at pci1 dev 13 function 0 D-Link Systems 530TX+ rev 0x10: irq 9,
address 00:13:46:30:0b:b2
rlphy1 at rl1 phy 0: RTL internal PHY
vr0 at pci1 dev 14 function 0 VIA VT6105 RhineIII rev 0x86: irq 10,
address
Re: WWW to go public, if pf would let me
On 6/9/07, Bray Mailloux [EMAIL PROTECTED] wrote: So, I'm trying to get my WWW server, public: 64.142.102.11; private: 192.168.1.4, to answer requests from the internet. Each time I try to access the public address, via firefox, the browser claims it does not exist. Try some more basic network layer stuff -- can you ping it? telnet to port 80? if yes on the latter, you're good. Also, apply a little thought-powder and do some troubleshooting, or explain to us what you've done -- can you get the pages locally? How about with PF turned off? More info will help! Marti -- Systems Programmer, Principal Electrical Computer Engineering The University of Arizona [EMAIL PROTECTED]
Re: WWW to go public, if pf would let me
On 6/9/07, Bray Mailloux [EMAIL PROTECTED] wrote:
Hello Everyone;
# ifconfig -A
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:50:bf:3a:2e:66
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1
inet 64.142.102.8 netmask 0xff00 broadcast 64.142.102.255
inet 64.142.102.9 netmask 0xff00 broadcast 64.142.102.255
inet 64.142.102.10 netmask 0xff00 broadcast 64.142.102.255
inet 64.142.102.11 netmask 0xff00 broadcast 64.142.102.255
rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:13:46:30:0b:b2
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::213:46ff:fe30:bb2%rl1 prefixlen 64 scopeid 0x2
inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:19:5b:3d:12:12
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::219:5bff:fe3d:1212%vr0 prefixlen 64 scopeid 0x3
inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#Macros
# 192.168.0.1 subnet
ext_ip=64.142.102.8
int_ip=192.168.0.1
int_block=192.168.0.0/24
#DMZ subnet
#Interface
dmz_ip=192.168.1.1
dmz_block=192.168.1.0/24
#DNS 1
scarlett=192.168.1.2
pub_scarlett=64.142.102.9
#DNS 2
shelly=192.168.1.3
pub_shelly=64.142.102.10
#WWW 1
www_ip=192.168.1.4
pub_www=64.142.102.11
#DMZ Services
services={ domain, www, smtp, }
#Normalizing
scrub in all
64.142.102.11
#NAT and Binat
nat on rl0 from $int_block to any - $ext_ip
binat on rl0 from $scarlett to any - $pub_scarlett
binat on rl0 from $shelly to any - $pub_shelly
binat on rl0 from $www_ip to any - $pub_www
#Redirection
rdr on rl1 proto tcp from any to 64.142.102.11 port 80 - $www_ip port 8000
rdr on rl1 proto udp from any to any port domain - $shelly
rdr on rl1 proto udp from any to any port domain - $scarlett
#Default block policy
block all
#Anti-spoofing
block in quick from urpf-failed
#vr0 traffic
pass in on vr0 proto tcp from $int_block to any port 6112
pass in on vr0 proto tcp from $int_block to any port 80
pass in on vr0 proto tcp from $int_block to 207.212.58.16 port 25
pass in on vr0 proto { udp, icmp } from $int_block to any
#rl1 traffic
pass in log on rl1 proto tcp from $dmz_block to $www_ip port 80
pass in log on rl1 proto udp from $dmz_block to $shelly port domain
pass in log on rl1 proto udp from $dmz_block to $scarlett port domain
pass out on rl1 proto tcp from $www_ip to any port 80
pass out on rl1 proto udp from $shelly to any port domain
pass out on rl1 proto udp from $scarlett to any port domain
So, I'm trying to get my WWW server, public: 64.142.102.11; private:
192.168.1.4, to answer requests from the internet. Each time I try to
access the public address, via firefox, the browser claims it does not
exist.
Does not exist is a vague error description. What happens when you
attempt a simple socket connection (with telnet or nc, etc.) to the
IP/port it uses? There are many variables (DNS, etc.) in testing with
a browser; simplify your test to a focused tool. Also, you're testing
this from the Internet, not from your internal network, right?
Although by the time I've written this someone else has already solved
your problem, generally speaking, it helps to reduce your pf.conf to
as simple a configuration as you can to isolate the issues. You can
load the trimmed down ruleset from an alternate file and diagnose just
the components you need to. For me personally, following your use of
macros and jumping up and down the ruleset requires more time than I'm
willing to commit. :)
So, not sure about the connections failing. As for your aliases, check
hostname.if(5) and you'll see that IPv4 interface aliases typically
have full /32 subnet masks.
DS
