Hi,
I'm trying to get a node.js application running as non-root on port 3080. But I want it to get reached by port 80 from extern. The easiest method I guessed is using ipfw fwd. In the thread https://forums.freebsd.org/threads/ipfw-fwd-with-generic-kernel.41243/#post-266748 post #5 assumed the fwd function works in generic kernel. But I'm not able to get it work.
Can anybody confirm it should work with generic kernel? Here is my ipfw configuration:
And I've tried to open 3080 and 80 regulary and to replace 127.0.0.1 with the servers public IP, but all this also doesn't work.
The /boot/loader.conf contains:
And /etc/sysctl.conf:
Am I doing something wrong? If my attempt is not possible, what's the easiest way (but also secure) to get my non-root application reached with privileged ports, without compiling a custom kernel?
Kind regards
Zabrah
I'm trying to get a node.js application running as non-root on port 3080. But I want it to get reached by port 80 from extern. The easiest method I guessed is using ipfw fwd. In the thread https://forums.freebsd.org/threads/ipfw-fwd-with-generic-kernel.41243/#post-266748 post #5 assumed the fwd function works in generic kernel. But I'm not able to get it work.
Can anybody confirm it should work with generic kernel? Here is my ipfw configuration:
Code:
#!/bin/sh
# Flush out the list before we begin
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
pif="vtnet0" # interface name of NIC attached to Internet
# No restrictions on Loopback Interface
$cmd 00002 allow all from any to any via lo0
# Allow dynamic traffic
$cmd 00003 check-state
# Redirect HTTP ports to internal ports
$cmd 00110 fwd 127.0.0.1,3080 all from any to me 80 in via $pif
# Allow every outgoing traffic
$cmd 00200 allow all from me to any out via $pif keep-state
# Allow incomming SSH
$cmd 00300 allow tcp from any to me 22 in via $pif limit src-addr 2
# Block every other incomming traffic
$cmd 00900 deny all from any to me in via $pif
The /boot/loader.conf contains:
Code:
ipfw_load="YES"
ipfw_nat_load="YES"
net.inet.ip.fw.default_to_accept="1"
Code:
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=1
net.inet6.ip6.forwarding=1
Am I doing something wrong? If my attempt is not possible, what's the easiest way (but also secure) to get my non-root application reached with privileged ports, without compiling a custom kernel?
Kind regards
Zabrah