port forwarding

[Erwin Rennert]

Gary Koskenmaki wrote:
> Hi all,
> 
> I've read the mailing list archives and don't see anything similar to
> the problem I'm having.
> 
> I have a test lab in which I use fiaif for the gateway firewall, an
> apache server, and a workstation.  I have set up fiaif to port forward
> www traffic to the apache server and that works fine from any non-local
> IP address.  However, I have a problem reaching the apache server
> through the gateway from the workstation.  Telneting into the server

If your workstation and the web server are on the same network traffic 
needn't and shouldn't go through the gateway at all. Why would you want 
that? And how do you achieve that??

I don't think you can filter traffic coming from on zone and going to 
the same zone. Coming from INT and going to INT will not even touch 
rules in EXT.

If for some reason you don't want to connect directly (i.e. without 
gateway interference) you should move the server to a different zone 
such as DMZ

Erwin

> tells me "connection refused" although I know the port is open.
> Sniffing the traffic from a browser attempting to access the web server
> from the  workstation on the lan shows the firewall is giving me packets
> with the rst,ack flags set.  
> 
> Can anyone give me a clue as to how to work around this?  I'm pretty
> puzzled as to what I'm doing wrong.  My best guess is that fiaif is
> denying my access to the web server because it's having trouble
> forwarding traffic from EXT that originates in INT back into INT.  Would
> moving the web server over to the DMZ zone fix this problem?
> 
>   
> 
> _______________________________________________
> fiaif mailing list
> fiaif at fiaif.net
> https://www.fiaif.net/mailman/listinfo/fiaif