port forwarding

Gary Koskenmaki email hidden
Wed Jul 23 15:46:52 CEST 2008 

On Wed, 2008-07-23 at 08:45 +0200, Erwin Rennert wrote:
> Gary Koskenmaki wrote:
> > Hi all,
> > 
> > I've read the mailing list archives and don't see anything similar to
> > the problem I'm having.
> > 
> > I have a test lab in which I use fiaif for the gateway firewall, an
> > apache server, and a workstation.  I have set up fiaif to port forward
> > www traffic to the apache server and that works fine from any non-local
> > IP address.  However, I have a problem reaching the apache server
> > through the gateway from the workstation.  Telneting into the server
> 
> If your workstation and the web server are on the same network traffic 
> needn't and shouldn't go through the gateway at all. Why would you want 
> that? And how do you achieve that??
> 
> I don't think you can filter traffic coming from on zone and going to 
> the same zone. Coming from INT and going to INT will not even touch 
> rules in EXT.
> 
> If for some reason you don't want to connect directly (i.e. without 
> gateway interference) you should move the server to a different zone 
> such as DMZ
I was afraid of that.  I'll just set up a DMZ.  I was going to anyway, I
just haven't had the time to work through it and get it all going as the
machine that runs apache runs my internal dns too. 

I know, not good to do that, but I don't have enough machines available
to run everything on separate machines. The box itself has been hardened
quite a bit, and I have some pretty restrictive rules in place with
modsecurity on Apache so it's not as bad as it could be.

However, I've done this before with broadband cable routers, i.e. smc,
linksys, etc... and it has always worked.  I'm just wanting to build my
own so I have a "real" firewall rather than the junk firewalls they put
on the cheap routers, and it's a good way to build my skills.

> 
> Erwin
> 
> > tells me "connection refused" although I know the port is open.
> > Sniffing the traffic from a browser attempting to access the web server
> > from the  workstation on the lan shows the firewall is giving me packets
> > with the rst,ack flags set.  
> > 
> > Can anyone give me a clue as to how to work around this?  I'm pretty
> > puzzled as to what I'm doing wrong.  My best guess is that fiaif is
> > denying my access to the web server because it's having trouble
> > forwarding traffic from EXT that originates in INT back into INT.  Would
> > moving the web server over to the DMZ zone fix this problem?
> > 
> >   
> > 
> > _______________________________________________
> > fiaif mailing list
> > fiaif at fiaif.net
> > https://www.fiaif.net/mailman/listinfo/fiaif
>

More information about the fiaif mailing list