Port redirection

[vijayrajah]

Hello,

This is what I'm trying to achieve. I'm running Apache on port 12345, I want all the requests (packets) from port 80 to be redirected to port 12345 on the same interface. (ipv4 + IPV6). I'm using ipfw on FreeBSD 10. The server has only one NIC card. I have tried the following.

ipfw add 102 fwd x.x.x.x,12345 tcp from any to me 80 in

It does not work (i.e. I'm unable to make a connection). I'm able to connect to port 12345 and get HTMLs etc. Is there something I'm missing?

-Thanks in Advance
Vijay

 

[SirDice]

I'm running apache on port 12345, I want all the requests (packets) from port 80 to be redirected to port 12345 on the same interface.

That's not possible. You cannot bounce packets back to the same interface they came in on. And why not simply run Apache on port 80 like everybody else?

 

[vijayrajah]

I'm running apache on port 12345, I want all the requests (packets) from port 80 to be redirected to port 12345 on the same interface.

That's not possible. You cannot bounce packets back to the same interface they came in on. And why not simply run Apache on port 80 like everybody else?

The server is going to run some PHP applications, I'm trying reduce the attack surface.

I'm a FreeBSD newbie, I'm coming from Linux land... I would something like the following in iptables

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 12345

If it is not possible, then I guess I do not have an option

-Thanks
Vijay

 

[kpa]

Umm no. That kind of tricks are not reducing the attack surface in any way because the TCP port 80 will be open anyway. Operationally there's no difference to the potential attacker if the web server is listening on port 80 or the port 80 is forwarded to the real listening port using DNAT. Get yourself up to speed how TCP/IP works and you'll have lot easier time to understand why many of these "hacks" that are often recommended to "increase security" are in reality nothing but hot air.

 

[SirDice]

I agree with @kpa, doing this does absolutely nothing to improve your security. It may even decrease your security because of the added complexity (which increases the risk of mistakes) and a false sense of security.

 

[obsigna]

...
I'm a FreeBSD newbie, I'm coming from Linux land... I would something like the following in iptables

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 12345

If it is not possible, then I guess I do not have an option.

You are looking for NAT port redirection (s. REDIRECT AND LSNAT SUPPORT IN IPFW), and this is quite different from ipfw fwd .... Technically, this is of course possible with FreeBSD, however, I agree with @kpa and @SirDice that the benefits are more than questionable in the usage scenario that you laid out.