Firewall problems [Solved]

Support section for FREESCO v0.3.x

Firewall problems [Solved]

Postby Bettes » Wed Nov 11, 2009 10:54 am

Hi,

I recently upgraded my server from etch to lenny. After that I was unable to connect to my apache server for connections coming from the internet :(
I start messing around and now i am not sure who is causing the problem. My freesco machine or something else.
The report is atttached


network topology

internet <===> modem/router <== 10.0.0.x ==> freesco <== 192.168.1.x ==> Lan <===> webserver (fixed ip)
<===> pc1


The freesco machine has a forwarding rule for trafic arriving at port 80 to port 80 of the webserver
If i connect to my webserver using pc1 it is working without a problem

If I connect to my freesco machine with ssh and start nmap on the eth0 interface (ip = 10.0.0.x) then i see that port 80 is filtered.
The freesco machine has still the original webserver and control panel working on port 81 and 82 and these port are shown as open.

So my question is : does freesco blocks port 80 or is the webserver rejecting the trafic ?
You do not have the required permissions to view the files attached to this post.
Last edited by Bettes on Sun Nov 15, 2009 5:15 am, edited 2 times in total.
<b><span style='color:red'>Haunted by Murphy's Law</span></b>
User avatar
Bettes
Newbie
 
Posts: 24
Joined: Fri Jul 12, 2002 3:08 am
Location: Belgium

Re: Firewall problems

Postby Howler » Wed Nov 11, 2009 1:10 pm

Hello,

032 is quite old for me to remember exactly, so I had to get the image and create a disk again :-/

Looking at your report.txt this part had me wondering
----- cat /etc/portfw.cfg | sed s/\#.*// -----

all,80,80,192.168.1.3


Looking at the disk I just made and taking info from the portfw.cfg file at the top I see this
## System portforwarding config.

# Examples:
# NOTE: replace this (1.2.3.4) IP addr with the IP of your internal client PC.

# tcp,81,80,1.2.3.4
# This command will make your internal www server at 1.2.3.4:80
# worldwide visible on your external address x.y.z.n:81


I would suggest using the
tcp
not the
all
that you have.

Howler

ALSO : if needed add another line that uses 'udp' instead of 'tcp' this "should" be the same as what you are trying to do with "all" as I presume you want tcp AND udp to forward.
The first, the original and still the main FREESCOsoft site http://www.freescosoft.com/
The best place for FREESCO packages and related files.
Created and maintained by me (Howler), and mirrored by many (well, ok mirrored by some).
User avatar
Howler
Advanced Member
 
Posts: 227
Joined: Wed Nov 14, 2001 12:24 am
Location: Wisconsin USA

Re: Firewall problems

Postby Bettes » Wed Nov 11, 2009 2:07 pm

Hi Howler,

Thanks for the reply.

I remembered that when things were working I only used tcp.
I have changed the forwarding rule but the problem remains the same :(
You do not have the required permissions to view the files attached to this post.
<b><span style='color:red'>Haunted by Murphy's Law</span></b>
User avatar
Bettes
Newbie
 
Posts: 24
Joined: Fri Jul 12, 2002 3:08 am
Location: Belgium

Re: Firewall problems

Postby phillipsjk256 » Wed Nov 11, 2009 6:32 pm

Is your server trying to configure itself via DHCP?

If so, you must either disable that or set a "static" DHCP lease.

You are presented with that option when configuring the "43. DHCP server" option in the "advanced" menu.

/etc/dhcp.cfg
Code: Select all
# This file lists optional static dhcp leases.
# All lines beginning with a "#" are comments and ignored.
#
# Sample:
#
# host win98 {
# fixed-address 192.168.0.10;
# hardware ethernet 00:80:af:82:8a:7c;
# }
User avatar
phillipsjk256
Junior Member
 
Posts: 40
Joined: Tue Mar 01, 2005 3:55 am

Re: Firewall problems

Postby Bettes » Thu Nov 12, 2009 2:33 pm

Hi phillipsjk256

My server uses a static IP address. So it is not that :(




So I have been reading a lot about ipfwadm. I discovered that you can check your firewall rules as follow.

If I executed the following

Code: Select all
 
$>ipfwadm -c -W eth0 -V 10.0.0.2 -I -P tcp -S 10.0.0.138/32 80 -D 10.0.0.2/32 80
$>packet accepted


and also

Code: Select all
 
$>ipfwadm -c -W eth1 -V 192.168.1.1 -O -P tcp -S 192.168.1.1/32 80 -D 192.168.1.3/32 80
$>packet accepted


then it looks to me that my rules are correct. The tcp packet enters freesco at eth0 on 10.0.0.2:80 and leaves again at eth1 on 192.168.1.1:80
But I am not sure :?

my network settings are
modem
eth0 = 10.0.0.138

freesco
eth0 = 10.0.0.2
eth1 = 192.168.1.1

webserver
eth0 = 192.168.1.3
<b><span style='color:red'>Haunted by Murphy's Law</span></b>
User avatar
Bettes
Newbie
 
Posts: 24
Joined: Fri Jul 12, 2002 3:08 am
Location: Belgium

Re: Firewall problems

Postby phillipsjk256 » Thu Nov 12, 2009 5:29 pm

Well, I can't find anything wrong with your freesco configuration, and neither did howler, so it is likely something "stupid" that was not checked completely.

  • Can you ping the webserver from the LAN? this checks layer 1,2,3 connectivity (wires, correct port on switch, IP address)
  • If ping does not work, you can check what IP address the server is using by running "ifconfig" on it.
  • Is your ISP blocking port 80, not freesco? Try connecting from PC1. If it works from there, but not remotely, your ISP is blocking you. If it works from the LAN (using http://192.168.1.3:80), but not PC1 (using http://www.public-facing.ip), freesco is blocking you. On second thought, specifying the port is probably redundant.
User avatar
phillipsjk256
Junior Member
 
Posts: 40
Joined: Tue Mar 01, 2005 3:55 am

Re: Firewall problems

Postby Bettes » Thu Nov 12, 2009 5:57 pm

* Can you ping the webserver from the LAN? this checks layer 1,2,3 connectivity (wires, correct port on switch, IP address)


Yes I can. On the 192.168.1.X network I can ping the webserver (192.168.1.3)
I can also connect to it with my browser

* Is your ISP blocking port 80, not freesco? Try connecting from PC1. If it works from there, but not remotely, your ISP is blocking you. If it works from the LAN (using http://192.168.1.3:80), but not PC1 (using http://www.public-facing.ip), freesco is blocking you. On second thought, specifying the port is probably redundant.


Normally my ISP is not blocking the port. I am using the server for a couple of years already.
That PC1 in my network topology is in the same LAN as my webserver.
I also tried to connect from work but no result.


This I noticed, maybe it gives some clues


  • When logged in on freesco with ssh I can connect to the server with lynx to 192.168.1.3
  • When logged in on freesco with ssh I can not connect to the server with lynx to 10.0.0.2
  • On freesco nmap shows port 80 as filtered when scanning 10.0.0.2
  • If I forward port 100 to 192.168.1.5:22 then this port is also shown as filtered
    I was able to use the command : ssh user@192.168.1.5 from freesco
    But command ssh user@10.0.0.2 -p 100 was not working
<b><span style='color:red'>Haunted by Murphy's Law</span></b>
User avatar
Bettes
Newbie
 
Posts: 24
Joined: Fri Jul 12, 2002 3:08 am
Location: Belgium

Re: Firewall problems

Postby phillipsjk256 » Thu Nov 12, 2009 6:25 pm

I think I found the problem: RFC1918 - Address Allocation for Private Internets

Your report.txt shows that your "public" IP address is 10.0.0.2. This is part of the 10/8 network range reserved for private networks. Did your edit the report.txt file to hide your "real" IP address? If your are getting Internet access from a neigbour or institutional network, they would have to forward port 80 as well (to your freecso box; 10.0.0.2)
Edit: :oops: Ok, now I see the modem/router in the diagram. Can you connect to your webserver from the 10.0.0.x network (using http://10.0.0.2)?

Trying to connect to the forwarded "public" IP address from the router is expected to fail. From the diagram I discerned that "PC1" was sitting outside your network getting its own IP.

I am not sure, but nmap showing port 80 as filtered is probably expected as well. The router is not listening on the port; it is routing packets on that port after "mangling" them.

192.168.1.5 is a new address. Same explanation as above, I guess.
User avatar
phillipsjk256
Junior Member
 
Posts: 40
Joined: Tue Mar 01, 2005 3:55 am

Re: Firewall problems

Postby Lightning » Thu Nov 12, 2009 7:22 pm

I have not read this entire thread but from what I did read you are trying to port forward to an internal web server. Which according to your report.txt is configured correctly to do just that. However what I see is that your modem is also configured to do NAT and that is where the current problem exists. You have two options at this point. The first is to go into the modem control panel and also port forward port 80 to the router at 10.0.0.2 so that the router can also port forward to the internal server at 192.168.1.3
The second option is to reconfigure the modem in bridge or what ever mode it has mode so that it does not do any NAT and the router gets your true external public IP address. Which may also require the router to use the login and password negotiation.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12079
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: Firewall problems

Postby Bettes » Sun Nov 15, 2009 5:13 am

Hi all

Thanks for helping me with my problem. I finally found the reason why i couldn't connect to my server anymore.

Of course it was not a freesco problem !!!!
How could I ever doubt it :(

It turned out that my ISP provider Belgacom has blocked ports since 31/10/2009 due to an hacker attack.
And this without any notice to me.

You can read more in the helpcare of their portal :
Belgacom open and blocked ports

So thanks a lot for your support !!!
<b><span style='color:red'>Haunted by Murphy's Law</span></b>
User avatar
Bettes
Newbie
 
Posts: 24
Joined: Fri Jul 12, 2002 3:08 am
Location: Belgium


Return to FREESCO Support for v0.3.x

Who is online

Users browsing this forum: No registered users and 3 guests

cron