Re: [PLUG] Can't access to Webserver Packet Filter OpenBSD. Need help pl

Re: [PLUG] Can't access to Webserver Packet Filter OpenBSD. Need help please!

Thank you all,

The policy for outbound is the following : Pf should let everyone from internet to access to the webserver in the DMZ, also request from the LAN to the DMZ should be allow. Outside the network means on Internet . There is a mistake on the diagram, the webserver is on Centos(10.81.81.3).

-------------------------------->
Inside the LAN, the snapshot of the network when accessing on the webserver is :
echo -n "GET / HTTP/1.0\r\n\r\n" | nc 10.81.81.3 80
HTTP/1.1 200 OK
Date: Tue, 14 Feb 2017 03:23:53 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
Last-Modified: Sun, 22 Jan 2017 23:04:44 GMT
ETag: "66-546b6e89b0d03"
Accept-Ranges: bytes
Content-Length: 102
Connection: close
Content-Type: text/html; charset=UTF-8

<title> Attecoube.net : Tout au sujet de notre commune</title><h1> Apache Web server is running</h1>

But trying to access from Internet using dyndns, the following message occured:

echo -n "GET / HTTP/1.0\r\n\r\n" | nc attecoube.homelinux.com 80
attecoube.homelinux.com [172.16.16.2] 80 (http) : No route to host

On the firewall, tcpdump shows me activity from the LAN to the DMZ through port 80 and traffic of SSH to the firewall.

---------------------------------->Pf.conf
#MACROS

lan_if _172.16.16.0/28-192.168.1.0= "bce0"
wan_if_216.164.232.109 = "re0"
dmz_if_10.81.81.0/28 = "sk0"
nameservers = "{ 208.59.247.45, 8.8.8.8 }"

#OPTIONS
set skip on lo
set block-policy drop

#NORMAL TRAFFIC
pass in on $lan_if tag allowed
pass in on $dmz_if tag allowed
pass proto { tcp, udp } to $nameservers port domain
pass in on $wan_if proto { tcp, udp } to $nameservers port domain
pass out on $dmz_if proto { tcp, udp } to $nameservers port domain

#NAT RULES
match out on $wan_if inet from ($lan_if:network) to any nat-to ($wan_if)
match out on $wan_if inet from ($dmz_if:network) to any nat-to ($wan_if)

#BLOCKING AND PACKET TAGGING
block inet6
block all

#NAT INBOUND TO DMZ
pass out on $wan_if tag allowed
pass out from { ($wan_if), $lan_if }

#POLICY ENFORCEMENT

#Redirection de toutes requetes d'Internet vers Serveur web dans le DMZ
pass in on egress proto tcp from any to any port 20144 rdr-to 172.16.16.1
pass in on egress proto tcp from any to any port 80 rdr-to 10.81.81.3

block return # block stateless traffic
pass
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

On Mon, Feb 13, 2017 at 12:00 PM, Keith C. Perry <kperry@daotechnologies.com> wrote:

Sebastien,

I don't use pf so I'm going to be high level with questions.

1) What is the default policy for outbound traffic... outbound meaning to your DMZ and internet?
2) "webserver from outside my network"... on your DMZ or internet?
3) have you been able to run a packet capture on your firewall to see what is happening to the packets?

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Owner, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com

From: "sebastien yapo" <yaposebastien@gmail.com>
To: plug@lists.phillylinux.org
Sent: Sunday, February 12, 2017 10:43:32 PM
Subject: [PLUG] Can't access to Webserver Packet Filter OpenBSD. Need help please!

Good evening everyone,

I am experiencing an issue to access a webserver from outside my networksince I used Router/Firewall with OpenBSD. However, I am able to access to the firewall from outside by SSH. Network diagram and pf.conf file are attached to this email.

Thank for your support.

___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug