IPFW Issue with opening ports for a reverse web proxy...

connchri

Member

Reaction score: 4
Messages: 28

Hello,

First off I'd like to say a big hello, I'm new to the forms, and FreeBSD in general, and need to say a big thanks for the O/S as well as much of the help (first time posting, silently been reading).

I am having an issue with setting up IPFW on a server that is being used as a reverse web proxy.

The reverse proxy is running FreeBSD 11 Stable (There's issues with 'release' in Hyper-V with network interfaces), and it using Nginx for SSL's reverse proxying to a internal Ubuntu Box running the web app on Nginx. For security reasons, I want the whole lot locked down. I have an internal network that is used only between the FreeBSD and Ubunutu box (and I'll be adding another MySQL machine eventually). It all works flawlessly when I don't have a firewall enabled on the reverse proxy server (FreeBSD). The Ubuntu box is already locked down with a firewall allowing only HTTP traffic between the Proxy.

What I want is to do the same with the FreeBSD reverse proxy machine. i.e. Have ports 80 and 443 open to the web (hn0 interface), and only port 8075 (That's the port I'm using for proxied traffic to the ubuntu box) on the hn1 interface. Everything else closed. The LAN that both machines share is 192.168.10.0/24, and each machine has the IP 192.168.10.10 (Proxy) and 192.168.10.40 (Interal Web Server).

I have configured ipfw to start in the /etc/rc.conf, and have it loading rules from etc/ipfw.rules.

Please see attach image for a screenshot of the rules I have created. On the line with command 00510, I have previously tried
Code:
allow tcp from me to 192.168.10.40 8075 via $pof
, also to no avail.

freebsdfirewall.png


Doing IPFW -show, shows that it is loading the script, just not 100% properly.

I figure the problem is in command 00510. If someone could pint me in the right direction with writing this rule out correctly, I would be very greatful.

Cheers!
 
OP
C

connchri

Member

Reaction score: 4
Messages: 28

I've solved it. Just a matter of getting the syntax correct.

Here's the fixed rules.

Also, I'd appreciate any more pointers on securing this, incase I've missed anything (I know IP has the ability to reduce the effectiveness of DoS attacks, but I am using Nginx here, with IPFW, as a proxy) or there's some from of attacks that can be prevented?

I'm new to all this, so again, any advice would be appreciated.

rules2.png
 
Top