Results 1 to 9 of 9
  1. #1
    Untangler
    Join Date
    Apr 2008
    Location
    Santa Rosa, CA
    Posts
    68

    Default SOLVED: rule list - allow then forward port 81

    I'm running a second webserver on one static IP, and I'm trying to get the firewall to allow port 81 through. After allowing it through, the Networking section takes port 81 and forwards it to port 80 on the correct box.

    The problem I'm having is that the firewall is blocking port 81, so obviously I'm missing something. Here's the rule I created:

    Enable Rule, Pass, Log, TCP/UDP, External, Internal, any, any, any (source port(, 81 (destination port)

    I am not able to connect to the webserver as shown above, but if I change the Default Action to Pass, port 81 is forwarded to port 80 on the correct server.

    Theoretically the above rule should allow port 81 to connect, and port forwarding to send the data to the right server. Also, if I try to specify the destination IP address with source port 81 and destination port 80, it does not work either.

    Can you tell me what I'm doing wrong?

    Thanks!
    Last edited by vancocom; 06-25-2008 at 03:03 PM. Reason: Added solved tag

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    18,527

    Default

    Try this..
    Enable: Checked
    Action: pass
    log: checked
    traffic type: TCP
    client interface: external
    server interface: internal
    source address: any
    destination address: WAN IP of UT
    source port: any
    destination port: 81

    Be aware this rule will not allow traffic to pass from the internal network. You will need to specify a second rule that mirrors this one but changes the client interface to internal.
    Rob Sandling, BS:SWE, MCP
    Intouch Technology
    Phone: 480-272-9889
    NexgenAppliances.com
    Phone: 866-794-8879

  3. #3
    Untangler
    Join Date
    Apr 2008
    Location
    Santa Rosa, CA
    Posts
    68

    Default

    Sky-night, thanks for the response. I tried your suggestion and it did not work. I should have mentioned that I already have a rule allowing all traffic originating from the LAN to access the WAN (enabled, pass, client internal, server external, all other settings "any").

    What I don't understand is that with the rule you suggested, you are just taking port 81 and forwarding it back to itself. Wouldn't that just create a loop constantly forwarding that port to it's own IP until the TTL expires? UT is my gateway/router for my network.

    I'm accessing the internal server by going to http://UT_WAN_ip_address:81

    Again, if I allow all incoming traffic through, the original rule I posted works. Hopefully I'm not just being dense...
    Last edited by vancocom; 06-25-2008 at 01:34 PM.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    18,527

    Default

    The firewall controls packets as they impact the interface specified in the client interface. The rule I specified passes and logs TCP traffic destined to port 81 on the external interface of the untangle server, from any client address and port. Now, that being said, if you have that rule in place and it still isn't working your issue isn't the firewall. It is the port forward rule. You need to manually specify source interfaces in the forward rule and include both the internal and external interfaces. By default only the external interface is included and in this configuration the packets won't forward if you connect from the internal network.
    Rob Sandling, BS:SWE, MCP
    Intouch Technology
    Phone: 480-272-9889
    NexgenAppliances.com
    Phone: 866-794-8879

  5. #5
    Untangler
    Join Date
    Apr 2008
    Location
    Santa Rosa, CA
    Posts
    68

    Default

    I did what you said regarding the port forwarding, and it still doesn't work.

    There are two things that make me think it is the firewall. First, whenever I try to connect to that IPort, I see activity at that very moment being blocked. For whatever reason my "firewall block events" log has ALWAYS been blank, so I can't tell exactly what's happening. Second, if you remember I stated that if I changed the Default Action in the firewall to Pass, the port forwarding works perfectly.

    I appreciate your help on this matter, and I look forward to any other suggestions you might have.

  6. #6
    Untangler
    Join Date
    Apr 2008
    Location
    Santa Rosa, CA
    Posts
    68

    Default

    Oddly enough, if I change the Default Action to Pass, get to the server, and change it to block again, I am able to use that site without a problem for that session. Once I cleared my browser history/cookies and tried to reconnect, I was unable to connect.

  7. #7
    Untangle Ninja Silver Bullet's Avatar
    Join Date
    Sep 2007
    Posts
    2,008

    Default

    So you're doing a external to internal port redirect from 81 to 80?

    If that is the case then you will have to allow destination port 80 to that server.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    18,527

    Default

    So the firewall needs port 80 specified instead of 81 or in addition to 81?
    Rob Sandling, BS:SWE, MCP
    Intouch Technology
    Phone: 480-272-9889
    NexgenAppliances.com
    Phone: 866-794-8879

  9. #9
    Untangler
    Join Date
    Apr 2008
    Location
    Santa Rosa, CA
    Posts
    68

    Default

    Well whaddaya know... that worked. After adding 80 as being permitted to the inside server, and changing the port 81 back to being allowed to that server instead of the UT WAN IP, it worked.

    I had thought that port redirection took place after going through the firewall, so that the firewall would not be involved with blocking port 80. Obviously I was wrong, and I'll definitely keep this in mind for the future.

    I know I could have had the web server listen on a different port, but I was being stubborn and wanted a typical server configuration

    Thank you both for your help!!

    Synopsis:

    Create firewall rules allowing ports 80 AND 81 to the IP of the internal web server
    Under Networking, redirect port 81 to 80 going to the same internal web server

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2