Hi,
I'm successfully running a Zabbix server on a host in a local network (192.168.8.0). The Zabbix server has a network interface with the IP 192.168.8.14. All other servers that run the Zabbix agent and are on the same LAN are able to talk to the Zabbix server without any problems.
The architecture of the local network looks like this:
gold1 is the router/firewall that connects the three different LANs to the internet. It runs pf and net/haproxy. Behind it are a number of webservers, S3 compatible nodes and so on.
bormine is the host that runs the Zabbix server.
The problem is that a Zabbix agent "on the internet" is not able to reach the Zabbix server. I used security/nmap to check for port 10051. On a local machine I see that the port is open (on gold1 and on bromine).
However, if I run the same command on a host "on the internet" agains gold1 I can see that port 10051 is filtered:
In contrast, ports 80 and 443 are marked as open and I'm able to query websites through gold1 just as expected:
I assume that this is a simple firewall issue but I'm not able to figure it out. Here's a copy of /etc/pf.conf of gold1:
The net/haproxy instance running on gold1 is configured as follows (I removed all the parts regarding port 80 and 443):
I'd appreciate any kind of help (and generic feedback) on this.
I'm successfully running a Zabbix server on a host in a local network (192.168.8.0). The Zabbix server has a network interface with the IP 192.168.8.14. All other servers that run the Zabbix agent and are on the same LAN are able to talk to the Zabbix server without any problems.
The architecture of the local network looks like this:
Code:
ISP fiber ---> gold1 ---> bromine
bormine is the host that runs the Zabbix server.
The problem is that a Zabbix agent "on the internet" is not able to reach the Zabbix server. I used security/nmap to check for port 10051. On a local machine I see that the port is open (on gold1 and on bromine).
However, if I run the same command on a host "on the internet" agains gold1 I can see that port 10051 is filtered:
Code:
root@hydrogen1:~ # nmap -sS -p10051 zabbix.foo.bar
Starting Nmap 7.40 ( https://nmap.org ) at 2018-08-02 15:57 CEST
Nmap scan report for zabbix.foo.bar (AA.BB.CC.DD)
Host is up (0.0095s latency).
rDNS record for AA.BB.CC.DD
PORT STATE SERVICE
10051/tcp filtered zabbix-trapper
Nmap done: 1 IP address (1 host up) scanned in 0.80 seconds
In contrast, ports 80 and 443 are marked as open and I'm able to query websites through gold1 just as expected:
Code:
root@hydrogen1:~ # nmap -sS -p80,443 zabbix.foo.bar
Starting Nmap 7.40 ( https://nmap.org ) at 2018-08-02 15:57 CEST
Nmap scan report for zabbix.foo.bar (AA.BB.CC.DD)
Host is up (0.0097s latency).
rDNS record for AA.BB.CC.DD
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 1.47 seconds
I assume that this is a simple firewall issue but I'm not able to figure it out. Here's a copy of /etc/pf.conf of gold1:
Code:
if_wan="igb3"
if_lan="igb1" # Office
if_lan2="igb4" # Servers
if_lan3="igb0" # Management
if_loc="lo0"
# Options
set block-policy drop
# Scrub
scrub in all
# Ignore loopback interface
set skip on $if_loc
# NAT
nat on $if_wan from $if_lan:network to any -> ($if_wan) static-port
nat on $if_wan from $if_lan2:network to any -> ($if_wan) static-port
nat on $if_wan from $if_lan3:network to any -> ($if_wan) static-port
# Redirects
# Deal with bruteforcers
table <bruteforce> persist
block quick from <bruteforce>
#pass quick on $if_lan
block in log all
#antispoof for $if_wan
pass out keep state
# Block anything coming from sources that we have no back routes for
#block in log from no-route to any
pass quick on $if_lan all # Allow all traffic on internal interface(s)
pass quick on $if_lan2 all # Allow all traffic on internal interface(s)
pass quick on $if_lan3 all # Allow all traffic on internal interface(s)
pass in on $if_wan proto tcp from any to any port 10051 keep state
pass in on $if_wan proto tcp from any to any port {80, 443} keep state
pass in quick on $if_lan proto tcp from any to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 50/3600, overload <bruteforce> flush global)
The net/haproxy instance running on gold1 is configured as follows (I removed all the parts regarding port 80 and 443):
Code:
global
log /var/run/log local0 info
log /var/run/log local0 notice
daemon
maxconn 8000
nbproc 3
tune.ssl.default-dh-param 2048
user nobody
group nobody
defaults
log global
option httplog
option dontlognull
mode http
timeout connect 5s
timeout client 5min
timeout server 5min
option forwardfor
errorfile 400 /usr/local/etc/haproxy/errorfiles/400.http
errorfile 403 /usr/local/etc/haproxy/errorfiles/403.http
errorfile 408 /usr/local/etc/haproxy/errorfiles/408.http
errorfile 500 /usr/local/etc/haproxy/errorfiles/500.http
errorfile 502 /usr/local/etc/haproxy/errorfiles/502.http
errorfile 503 /usr/local/etc/haproxy/errorfiles/503.http
errorfile 504 /usr/local/etc/haproxy/errorfiles/504.http
frontend zabbix
bind *:10051
mode tcp
default_backend zabbix_10051
backend zabbix_10051
server zabbix01 192.168.8.14:10051 check
mode tcp
I'd appreciate any kind of help (and generic feedback) on this.