I can't connect my DMZ webserver!
hi! Follow is my network. rl0 xl0 ||-- DMZ(webserver, dns, ftp) router--| OBSD3.2 | ||-- client rl1 Problem is my webserver(win2000). This webserver have 3 sites. my pf.conf is follow. xl0=128.134.54.151 rl0=192.168.0.1 rl1=10.0.0.1 webserver=192.168.0.2 // rdr on xl0 proto tcp from any to 128.134.54.151 port 80 - 192.168.0.2 port 80 for test If i use a single site in my webserver(linux), that is ok! I can connect my webserver! If i telnet to my webserver, i can connecto to 80 port. ex)telnet www.xxx.xx.xx 80 GET / HTTP/1.0 = I can found page not found! anyone help me! ps)I am not familier english. I am sorry!(for my expression!)
Re: I can't connect my DMZ webserver!
On Sun, Mar 30, 2003 at 10:15:50PM +0900, dreamer wrote: If i telnet to my webserver, i can connecto to 80 port. ex)telnet www.xxx.xx.xx 80 GET / HTTP/1.0 = I can found page not found! The problem is not with pf or the redirection, but name based virtual hosting at the web server. If you don't use dedicated IP addresses for each domain, the web client must provide the domain in the HTTP host header, otherwise the web server has no way of knowing which of the several domains the client wants. Try $ telnet www.xxx.xx.xx 80 GET / HTTP/1.0 Host: www.domain.tld and see http://httpd.apache.org/docs/vhosts/name-based.html. If the HTTP TCP connection is redirected, you get an established connection, and can talk HTTP to the web server, the problem is beyond pf. Daniel
antispoof vs. ip aliases
$ cat /etc/hostname.fxp0 inet 10.0.3.20 255.0.0.0 NONE inet alias 10.1.3.20 255.0.0.0 inet alias 10.2.3.20 255.0.0.0 inet alias 10.3.3.20 255.0.0.0 inet alias 10.4.3.20 255.0.0.0 inet alias 10.5.3.20 255.0.0.0 $ grep antispoof /etc/pf.conf antispoof for fxp0 Loading this ruleset will result in, $ pfctl -sr | grep '10.0.0.0/8' block drop in on ! fxp0 inet from 10.0.0.0/8 to any block drop in on ! fxp0 inet from 10.0.0.0/8 to any block drop in on ! fxp0 inet from 10.0.0.0/8 to any block drop in on ! fxp0 inet from 10.0.0.0/8 to any block drop in on ! fxp0 inet from 10.0.0.0/8 to any block drop in on ! fxp0 inet from 10.0.0.0/8 to any Hence, we get a block statement for each alias, which is I guess fine if aliases have different masks, but in this case, it's kind a unneccesary. No? This is on x86/-current from 4 days ago. // haver
Re: antispoof vs. ip aliases
On Sun, Mar 30, 2003 at 06:16:10PM +0200, Srebrenko Sehic wrote: $ cat /etc/hostname.fxp0 inet 10.0.3.20 255.0.0.0 NONE inet alias 10.1.3.20 255.0.0.0 inet alias 10.2.3.20 255.0.0.0 inet alias 10.3.3.20 255.0.0.0 inet alias 10.4.3.20 255.0.0.0 inet alias 10.5.3.20 255.0.0.0 $ grep antispoof /etc/pf.conf antispoof for fxp0 Loading this ruleset will result in, $ pfctl -sr | grep '10.0.0.0/8' block drop in on ! fxp0 inet from 10.0.0.0/8 to any block drop in on ! fxp0 inet from 10.0.0.0/8 to any block drop in on ! fxp0 inet from 10.0.0.0/8 to any block drop in on ! fxp0 inet from 10.0.0.0/8 to any block drop in on ! fxp0 inet from 10.0.0.0/8 to any block drop in on ! fxp0 inet from 10.0.0.0/8 to any Hence, we get a block statement for each alias, which is I guess fine if aliases have different masks, but in this case, it's kind a unneccesary. No? yes, that is known. I don't see a real world problem with this; the effect is zero as skip steps solve that nicely. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: antispoof vs. ip aliases
On Sun, Mar 30, 2003 at 06:29:09PM +0200, Henning Brauer wrote: yes, that is known. I don't see a real world problem with this; the effect is zero as skip steps solve that nicely. Hurray for skip-steps then ;) However, imagine having tons of aliases; resulting filter rules might get a bit ugly. Without checking, can't this be fixed rather easily? Check on the netmask; if same as non-aliased mask, skip it.
Re: antispoof vs. ip aliases
On Sun, Mar 30, 2003 at 06:45:36PM +0200, Srebrenko Sehic wrote: On Sun, Mar 30, 2003 at 06:29:09PM +0200, Henning Brauer wrote: yes, that is known. I don't see a real world problem with this; the effect is zero as skip steps solve that nicely. Hurray for skip-steps then ;) However, imagine having tons of aliases; resulting filter rules might get a bit ugly. well, I don't think that is worth quite some extra code to detect those... Without checking, can't this be fixed rather easily? Check on the netmask; if same as non-aliased mask, skip it. didn't look, isn't that trivial I think... perhaps I check later -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
NEWBIE: alias or vlan?
Hello, I have some questions about extending my home LAN. System: OpenBSD 3.2 +latest security patches applied. Dual Linksys TX100 Nics. One connected to DSL modem, one connected to LAN. PF configured to NAT my internal network. My nextdoor neighbor gave me a Cisco 350 wireless access point so he could hijack some of my bandwidth. I agreed but want to maintain control. Here are my questions: 1) Initially I have thought about setting up a vlan on my internal Nic for the network I will assign to the wireless segment. Is this preferred over assigning an alias with ifconfig? 2) To restrict things a bit I was going to cfg the WAP to grab an IP from DHCP and I was going to configure DCHP for this segment to be limited to two addresses (with something equivalent to a 255.255.255.254 subnet mask). 3) I would like to augment my pf ruleset to block traffic from the wireless segment to the wired (and maybe vice versa0. It seems, at least conceptually, that this will be easier to do if I go the VLAN route vs. adding an alias but again I really don't know. Any thoughts? 4) I assume with either case I will need to extend my NAT rule to NAT this new traffic from the VLAN (or alias)? 5) Lastly it seems like the pf man page and HOWTO use the notation /N following an IP address to indicate which octets matter (i.e. 192.168.1.0/24 means the last three octets). Is this correct? So, If hypothetically I defined some things in my pf.conf: EXT=ep1 INT=ep0 LAN=192.168.1.0/24 VLAN=192.168.2.0/24 Could I stipulate that my VLAN network address was 192.168.2.10 with a netmask of 255.255.255.254 and would the similar notation, VLAN=192.168.2.10/24 still be valid (for the two hosts 192.168.2.10 and .11? Thanks so much. scott rankin _
