Quantcast
Viewing all articles
Browse latest Browse all 790

Apache2 behind pfSense 2.1-Release NAT

Hello Community!

I have an age-old problem with trying to reach a local website on my local network, but something is very wrong and I haven't quite put my finger on it. I have a local LAMP server at 192.168.1.13 which is Debian and hosts my website, all packages are  up to date. This is reachable from outside of my network and works wonderfully, but completely inaccessible from internal network, even if I attempt to use http://192.168.1.13. I'm a total loss. I obviously want to maintain it's perfect presence on the world wide web, but I also want to be able to access it internally by using the url. When I do an nslookup from a windows box I get the correct WAN ip, and tracert is 1 hop to, again, the correct ip. When browsing to it however I get the error message "Oops! Google Chrome can not connect to www.duvrazh.net. For config purposes, the port forwards are disabled right now. Please help me solve this crisis! 

Here are my Debian iptables on the web server.

BASH
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-apache-myadmin  tcp  --  0.0.0.0/0            0.0.0.0/0
fail2ban-apache-w00tw00t  tcp  --  0.0.0.0/0            0.0.0.0/0
fail2ban-exim  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465
fail2ban-php-url-fopen  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
fail2ban-apache-nohome  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
fail2ban-apache-badbots  tcp  --  0.0.0.0/0            0.0.0.0/0
fail2ban-apache-noscript  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
fail2ban-webmin  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 10000,20000
fail2ban-apache-overflows  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
fail2ban-apache  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
fail2ban-ssh-ddos  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22
fail2ban-pam-generic  tcp  --  0.0.0.0/0            0.0.0.0/0
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-apache (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-apache-badbots (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-apache-myadmin (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-apache-nohome (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-apache-noscript (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-apache-overflows (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-apache-w00tw00t (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-exim (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-pam-generic (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-php-url-fopen (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-ssh-ddos (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-webmin (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Now this is all behind pfSense 2.1-Release, with the following firewall rules. I have 2 wan addresses which I've masked to 123.123.123.90 and 123.123.123.94. You will also see some specific rules mentioning 204.204.204.204, that is just me allowing rdp from my day-job location. Here is the mostly unfiltered output of pfctl -sa

BASH
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on em1 inet from 192.168.1.0/24 port= isakmp to any port= isakmp -> 123.123.123.94 port 500
nat on em1 inet from 10.24.0.0/24 port= isakmp to any port= isakmp -> 123.123.123.94 port 500
nat on em1 inet from 127.0.0.0/8 port= isakmp to any port= isakmp -> 123.123.123.94 port 500
nat on em1 inet from 0.0.0.0 port= isakmp to any port= isakmp -> 123.123.123.94 port 500
nat on em1 inet from 192.168.1.0/24 to any -> 123.123.123.94 port 1024:65535
nat on em1 inet from 10.24.0.0/24 to any -> 123.123.123.94 port 1024:65535 nat on em1 inet from 127.0.0.0/8 to any -> 123.123.123.94 port 1024:65535
nat on em1 inet from 0.0.0.0 to any -> 123.123.123.94 port 1024:65535
nat on em2 inet from 192.168.1.0/24 port= isakmp to any port= isakmp -> 123.123.123.90 port 500
nat on em2 inet from 10.24.0.0/24 port= isakmp to any port= isakmp -> 123.123.123.90 port 500
nat on em2 inet from 127.0.0.0/8 port= isakmp to any port= isakmp -> 123.123.123.90 port 500
nat on em2 inet from 0.0.0.0 port= isakmp to any port= isakmp -> 123.123.123.90 port 500
nat on em2 inet from 192.168.1.0/24 to any -> 123.123.123.90 port 1024:65535
nat on em2 inet from 10.24.0.0/24 to any -> 123.123.123.90 port 1024:65535
nat on em2 inet from 127.0.0.0/8 to any -> 123.123.123.90 port 1024:65535
nat on em2 inet from 0.0.0.0 to any -> 123.123.123.90 port 1024:65535
no nat on em0 inet proto tcp from 192.168.1.1 to 192.168.1.245 port= 3389
nat on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.245 port= 3389 -> 192.168.1.1 port 1024:65535
no nat on em0 inet proto tcp from 192.168.1.1 to 192.168.1.43 port= 3389
nat on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.43 port= 3389 -> 192.168.1.1 port 1024:65535
no nat on em0 inet from 192.168.1.1 to 192.168.1.13
nat on em0 inet from 192.168.1.0/24 to 192.168.1.13 -> 192.168.1.1 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
rdr on em1 inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42196 -> 192.168.1.245 port 3389
rdr on em0 inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42196 -> 192.168.1.245 port 3389
rdr on openvpn inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42196 -> 192.168.1.245 port 3389
rdr on WANgroup inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42196 -> 192.168.1.245 port 3389
rdr on em1 inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42199 -> 192.168.1.43 port 3389
rdr on em0 inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42199 -> 192.168.1.43 port 3389
rdr on openvpn inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42199 -> 192.168.1.43 port 3389
rdr on WANgroup inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42199 -> 192.168.1.43 port 3389
rdr-anchor "miniupnpd" all
rdr on em0 inet from any to 123.123.123.90 -> 192.168.1.13 bitmask
rdr on openvpn inet from any to 123.123.123.90 -> 192.168.1.13 bitmask
rdr on WANgroup inet from any to 123.123.123.90 -> 192.168.1.13 bitmask
binat on em2 inet from 192.168.1.13 to any -> 123.123.123.90

FILTER RULES:
anchor "relayd/*" all
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log quick inet6 all label "Block all IPv6"
block drop out log quick inet6 all label "Block all IPv6"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echo                                                                                        rep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
block drop quick inet proto tcp from any port= 0 to any
block drop quick inet proto tcp from any to any port= 0
block drop quick inet proto udp from any port= 0 to any
block drop quick inet proto udp from any to any port= 0
block drop quick inet6 proto tcp from any port= 0 to any
block drop quick inet6 proto tcp from any to any port= 0
block drop quick inet6 proto udp from any port= 0 to any
block drop quick inet6 proto udp from any to any port= 0
block drop quick from  to any label "Block snort2c hosts"
block drop quick from any to  label "Block snort2c hosts"
block drop in log quick proto carp from (self) to any
pass quick proto carp all keep state
block drop in log quick proto tcp from  to any port= ssh label "ssh lockout"
block drop in log quick proto tcp from  to any port= 8080 label "webConfiguratorlockout"
block drop in quick from  to any label "virusprot overload table"
block drop in log quick on em1 from  to any label "block bogon IPv4 networks from WAN94_SRV"
block drop in on ! em1 inet from 123.123.123.92/30 to any
block drop in inet from 123.123.123.94 to any
block drop in on em1 inet6 from fe80::6a05:caff:fe12:239a to any
block drop in log quick on em1 inet from 10.0.0.0/8 to any label "Block privatenetworks from WAN94_SRV block 10/8"
block drop in log quick on em1 inet from 127.0.0.0/8 to any label "Block privatenetworks from WAN94_SRV block 127/8"
block drop in log quick on em1 inet from 100.64.0.0/10 to any label "Block private networks from WAN94_SRV block 100.64/10"
block drop in log quick on em1 inet from 172.16.0.0/12 to any label "Block private networks from WAN94_SRV block 172.16/12"
block drop in log quick on em1 inet from 192.168.0.0/16 to any label "Block private networks from WAN94_SRV block 192.168/16"
block drop in log quick on em1 inet6 from fc00::/7 to any label "Block ULA networks from WAN94_SRV block fc00::/7"
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.1 to any
block drop in on em0 inet6 from fe80::6a05:caff:fe12:2470 to any
pass in quick on em0 inet proto udp from any port= bootpc to 255.255.255.255 port= bootps keep state label "allow access to DHCP server"
pass in quick on em0 inet proto udp from any port= bootpc to 192.168.1.1 port= bootps keep state label "allow access to DHCP server"
pass out quick on em0 inet proto udp from 192.168.1.1 port= bootps to any port= bootpc keep state label "allow access to DHCP server"
block drop in log quick on em2 from  to any label "block bogon IPv4 networks from WAN90_USER"
block drop in on ! em2 inet from 123.123.123.88/30 to any
block drop in inet from 123.123.123.90 to any
block drop in on em2 inet6 from fe80::6a05:caff:fe12:528 to any
block drop in log quick on em2 inet from 10.0.0.0/8 to any label "Block privatenetworks from WAN90_USER block 10/8"
block drop in log quick on em2 inet from 127.0.0.0/8 to any label "Block privatenetworks from WAN90_USER block 127/8"
block drop in log quick on em2 inet from 100.64.0.0/10 to any label "Block private networks from WAN90_USER block 100.64/10"
block drop in log quick on em2 inet from 172.16.0.0/12 to any label "Block private networks from WAN90_USER block 172.16/12"
block drop in log quick on em2 inet from 192.168.0.0/16 to any label "Block private networks from WAN90_USER block 192.168/16"
block drop in log quick on em2 inet6 from fc00::/7 to any label "Block ULA networks from WAN90_USER block fc00::/7"
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (em1 123.123.123.93) inet from 123.123.123.94 to ! 123.123.123.92/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (em2 123.123.123.89) inet from 123.123.123.90 to ! 123.123.123.88/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in inet all flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost" tagged PFREFLECT
anchor "userrules/*" all
pass in quick on openvpn inet proto tcp from any to 192.168.1.0/24 flags S/SA keep state label "USER_RULE: OpenVPN to LAN"
pass in quick on openvpn inet proto udp from any to 192.168.1.0/24 keep state label "USER_RULE: OpenVPN to LAN"
pass in quick on openvpn inet proto tcp from any to  flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on openvpn inet proto udp from any to  keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on openvpn route-to {(em1 123.123.123.93), (em2 123.123.123.89)} round-robin inet proto tcp all flags S/SA keep state label "USER_RULE: Allow All Policy Routing"
pass in quick on openvpn route-to {(em1 123.123.123.93), (em2 123.123.123.89)} round-robin inet proto udp all keep state label "USER_RULE: Allow All Policy Routing"
pass in quick on em1 reply-to (em1 123.123.123.93) inet proto tcp from any to 123.123.123.94 port= 1194 flags S/SA keep state label "USER_RULE: Allow Admin VPN"
pass in quick on em1 reply-to (em1 123.123.123.93) inet proto udp from any to 123.123.123.94 port= 1194 keep state label "USER_RULE: Allow Admin VPN"
pass in quick on em1 reply-to (em1 123.123.123.93) inet proto tcp from 204.204.204.2 to 192.168.1.245 port= 3389 flags S/SA keep state label "USER_RULE: NAT RDC on PB Laptop"
pass in quick on em1 reply-to (em1 123.123.123.93) inet proto tcp from 204.204.204.2 to 192.168.1.43 port= 3389 flags S/SA keep state label "USER_RULE: NAT RDC on Station8"
pass in quick on em0 inet proto tcp from 192.168.1.0/24 to 123.123.123.90 port= http flags S/SA keep state label "USER_RULE: www"
block return in quick on em0 inet proto tcp from !  to 192.168.1.1 port= 8080 flags S/SA label "USER_RULE: Admin Access"
pass in quick on em0 inet proto tcp from 192.168.1.0/24 to 10.24.0.0/24 flags S/SA keep state label "USER_RULE: LAN to OpenVPN"
pass in quick on em0 inet from 192.168.1.6 to  flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on em0 route-to (em1 123.123.123.93) inet from 192.168.1.6 to any flags S/SA keep state label "USER_RULE: PIA VPN"
pass in quick on em0 inet from 192.168.1.49 to  flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on em0 route-to (em2 123.123.123.89) inet from 192.168.1.49 to any flags S/SA keep state label "USER_RULE: Blackboard compatibility"
pass in quick on em0 inet proto tcp from 192.168.1.245 to  flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on em0 route-to (em2 123.123.123.89) inet proto tcp from 192.168.1.245 to any flags S/SA keep state label "USER_RULE: PB Laptop Modem Limiter"
pass in quick on em0 inet from any to  flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on em0 route-to {(em1 123.123.123.93), (em2 123.123.123.89)} round-robin inet all flags S/SA keep state label "USER_RULE: Multi-WAN Policy Routing                                                                                        "
pass in quick on em2 reply-to (em2 123.123.123.89) inet proto tcp from any to 192.168.1.13 port= http flags S/SA keep state label "USER_RULE: NAT Wordpress HTTP                                                                                        "
pass in quick on em2 reply-to (em2 123.123.123.89) inet proto tcp from any to 192.168.1.13 port= https flags S/SA keep state label "USER_RULE: NAT Wordpress HTTPS"
anchor "tftp-proxy/*" all
anchor "miniupnpd" all
No queue in use

INFO:
Status: Enabled for 4 days 14:56:48           Debug: Urgent

Interface Stats for em0               IPv4             IPv6
  Bytes In                      8799792964         20110685
  Bytes Out                   118706484483              228
  Packets In
    Passed                        44900959                0
    Blocked                          51994            70379
  Packets Out
    Passed                        87047650                0
    Blocked                              0                3

State Table                          Total             Rate
  current entries                      274
  searches                       262192002          656.5/s
  inserts                          1053106            2.6/s
  removals                         1052832            2.6/s
Counters
  match                            1216172            3.0/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                          45827            0.1/s
  proto-cksum                            0            0.0/s
  state-mismatch                        64            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  divert                                 0            0.0/s

LABEL COUNTERS:
Block all IPv6 5103 54 8498 54 8498 0 0
Block all IPv6 2319 0 0 0 0 0 0
Default deny rule IPv4 5049 876 91248 876 91248 0 0
Default deny rule IPv4 5049 0 0 0 0 0 0
Default deny rule IPv6 5049 0 0 0 0 0 0
Default deny rule IPv6 2319 0 0 0 0 0 0
Block snort2c hosts 5049 0 0 0 0 0 0
Block snort2c hosts 5049 0 0 0 0 0 0
sshlockout 5049 0 0 0 0 0 0
webConfiguratorlockout 795 0 0 0 0 0 0
virusprot overload table 2730 0 0 0 0 0 0
block bogon IPv4 networks from WAN94_SRV 2730 0 0 0 0 0 0
Block private networks from WAN94_SRV block 10/8 10 0 0 0 0 0 0
Block private networks from WAN94_SRV block 127/8 10 0 0 0 0 0 0
Block private networks from WAN94_SRV block 100.64/10 10 0 0 0 0 0 0
Block private networks from WAN94_SRV block 172.16/12 10 0 0 0 0 0 0
Block private networks from WAN94_SRV block 192.168/16 10 0 0 0 0 0 0
Block ULA networks from WAN94_SRV block fc00::/7 10 0 0 0 0 0 0
allow access to DHCP server 1465 1 328 1 328 0 0
allow access to DHCP server 0 0 0 0 0 0 0
allow access to DHCP server 3006 0 0 0 0 0 0
block bogon IPv4 networks from WAN90_USER 5048 0 0 0 0 0 0
Block private networks from WAN90_USER block 10/8 867 0 0 0 0 0 0
Block private networks from WAN90_USER block 127/8 867 0 0 0 0 0 0
Block private networks from WAN90_USER block 100.64/10 867 0 0 0 0 0 0
Block private networks from WAN90_USER block 172.16/12 867 0 0 0 0 0 0
Block private networks from WAN90_USER block 192.168/16 867 0 0 0 0 0 0
Block ULA networks from WAN90_USER block fc00::/7 867 0 0 0 0 0 0
pass IPv4 loopback 2729 388 26488 388 26488 0 0
pass IPv4 loopback 2707 0 0 0 0 0 0
pass IPv6 loopback 776 0 0 0 0 0 0
pass IPv6 loopback 388 0 0 0 0 0 0
let out anything IPv4 from firewall host itself 5048 564 124396 86 84451 478 399                                                                                        45
let out anything IPv6 from firewall host itself 2319 0 0 0 0 0 0
let out anything from firewall host itself 2319 25303 20588417 15917 19810649 93                                                                                        86 777768
let out anything from firewall host itself 2319 107510 117770769 81649 114500214                                                                                         25861 3270555
NAT REFLECT: Allow traffic to localhost 5048 0 0 0 0 0 0
USER_RULE: OpenVPN to LAN 5048 0 0 0 0 0 0
USER_RULE: OpenVPN to LAN 0 0 0 0 0 0 0
NEGATE_ROUTE: Negate policy routing for destination 0 0 0 0 0 0 0
NEGATE_ROUTE: Negate policy routing for destination 0 0 0 0 0 0 0
USER_RULE: Allow All Policy Routing 0 0 0 0 0 0 0
USER_RULE: Allow All Policy Routing 0 0 0 0 0 0 0
USER_RULE: Allow Admin VPN 5048 0 0 0 0 0 0
USER_RULE: Allow Admin VPN 0 0 0 0 0 0 0
USER_RULE: NAT RDC on PB Laptop 10 0 0 0 0 0 0
USER_RULE: NAT RDC on Station8 0 0 0 0 0 0 0
USER_RULE: www 3587 0 0 0 0 0 0
USER_RULE: Admin Access 772 0 0 0 0 0 0
USER_RULE: LAN to OpenVPN 772 0 0 0 0 0 0
NEGATE_ROUTE: Negate policy routing for destination 1464 0 0 0 0 0 0
USER_RULE: PIA VPN 0 0 0 0 0 0 0
NEGATE_ROUTE: Negate policy routing for destination 1464 0 0 0 0 0 0
USER_RULE: Blackboard compatibility 0 0 0 0 0 0 0
NEGATE_ROUTE: Negate policy routing for destination 1464 0 0 0 0 0 0
USER_RULE: PB Laptop Modem Limiter 452 20052 10392241 9357 2380214 10695 8012027
NEGATE_ROUTE: Negate policy routing for destination 1012 0 0 0 0 0 0
USER_RULE: Multi-WAN Policy Routing 1012 117979 130335219 28470 2107582 89509 12                                                                                        8227637
USER_RULE: NAT Wordpress HTTP 2110 158 166188 40 2488 118 163700
USER_RULE: NAT Wordpress HTTPS 12 0 0 0 0 0 0

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start                0 states
adaptive.end                  0 states
src.track                     0s

LIMITS:
states        hard limit  1626000
src-nodes     hard limit  1626000
frags         hard limit     5000
tables        hard limit     3000
table-entries hard limit   200000

TABLES:
Admins_Group
bogons
negate_networks
snort2c
sshlockout
virusprot
webConfiguratorlockout

OS FINGERPRINTS:
710 fingerprints loaded

I realize that's enough information to make your head spin, so additionally here are screenshots of the pages just in case there is a webui expert out there who can help but is less familiar with the command line (like me - less familiar, not an expert at all).

Gateways - just in case...

Image may be NSFW.
Clik here to view.

Firewall rules on the public interface that I want to 1:1 NAT to the webserver.

Image may be NSFW.
Clik here to view.

My LAN firewall rules, for what they're worth.

Image may be NSFW.
Clik here to view.

Here is the 1:1 NAT that I configured to supposedly allow direct access to the server, because apparently port forwarding is taboo.

Image may be NSFW.
Clik here to view.

Also, when attempting to follow guides found on Google I get this error about adding a virtual IP of the public ip address x.x.x.90

Image may be NSFW.
Clik here to view.
Jeez what a long issue to type, screenshot, edit and post. If you made it this far, I sincerely thank you for your valuable time. I'm about to pull my hair out. 

Viewing all articles
Browse latest Browse all 790

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>