httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Al Sparks <data...@yahoo.com>
Subject RE: [users@httpd] apache not responding to firewall routed ports
Date Thu, 16 Sep 2004 01:28:06 GMT
What I here you saying is that you see the server coming back with an ack internally via tcpdump,
but you're not seeing that packet reach anything externally.

You also say that you are getting responses (web pages) back
internally.  

There's a couple of things to check.  I already mentioned the
firewall; find out if the packets are reaching the firewall.

The other thing to check on the server itself, and it's related to
checking the firewall, is if there's a default gateway back out of the
network.

The following command will work on most (all?) linux distros, and
maybe BSD distros too:

$ netstat –rn
Destination     Gateway       Genmask   Flags   MSS Window  irtt Iface
    [other stuff]
0.0.0.0         192.168.2.1    0.0.0.0  UG      40   0      0  eth0

The last line basically says anything going outside the LAN will go
through a network device (usually a router) with an IP address of
192.168.2.1 (assuming that's your "gateway").  When doing a network
configuration, if you leave out the "gateway" setting, the server
doesn't know where to send the packets if it's outside the LAN.  It's
a fairly common error.
  === Al

--- Harry Patterson <harry@visiontm.com> wrote:

> Hi Al,
> 
> Thanks for responding. That's what I thought as well which is what prompted
> me to do the tcpdump. I am by no means an expert at reading those dumps, but
> in looking at the internal connection query I see an acknowledgement back
> from Apache. I would think I would at least see the ack back from Apache on
> the external whether it reached me through the firewall or not. There is no
> ack back. If you look below you will see the tcpdump of the internal
> communication, the 1st & 2nd line is the query and the 3rd-8th lines show
> some of the acks. If you have my original post you will see the external
> attempts with no ack. I even opened all ports on the firewall for my
> external IP address just in case to no avail. It's baffling to say the
> least. Any more thoughts would be appreciated, including if I am reading
> these correctly.
> 
> Harry
> 
> 192.168.2.206.3365 > 192.168.2.204.8080: S 2489588123:2489588123(0) win
> 64240
>    <mss 1460,nop,nop,sackOK> (DF) (ttl 128, id 17227)
> 192.168.2.204.8080 > 192.168.2.206.3365: S 3798610920:3798610920(0) ack
> 2489588124
>     win 17520 <mss 1460> (DF) (ttl 64, id 56459)
> 192.168.2.206.3365 > 192.168.2.204.8080: . ack 1 win 64240 (DF) (ttl 128,
>    id 17229)
> 192.168.2.206.3365 > 192.168.2.204.8080: P 1:459(458) ack 1 win 64240 (DF)
>    (ttl 128, id 17230)
> 
> 
> -----Original Message-----
> From: Al Sparks [mailto:data345@yahoo.com]
> Sent: Tuesday, September 14, 2004 3:50 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] apache not responding to firewall routed
> ports
> 
> 
> It sounds like packets are coming in and reaching your server, but not
> going back out.  When your server answers, the FW is probably blocking
> outgoing packets.
> 
> I'd check your firewall logs.  You may have to turn on logging, depending
> on the firewall.
>    === Al
> 
> --- Harry Patterson <harry@visiontm.com> wrote:
> 
> > I'm sure I am missing something obvious here, but I cannot get my apache
> > server to respond to requests that are routed through our firewall. I have
> > provided some pertinent info below, if you need more let me know.
> >
> > The firewall forwards all port 8080 request for IP 216.49.170.99 to an
> > internal address 192.168.2.204 also on port 8080. Apache responds fine
> using
> > the internal address on an internal computer (same subnet). When using an
> > external computer going to the external address, I can see the packets
> > coming in to the server using tcpdump. As expected their destination is
> > 192.168.2.204 and the .8080 shows they are coming in to port 8080. But I
> get
> > a "Cannot find Server" error in the browser. There are no errors recorded
> in
> > the apache logs. So why isn't it accepting those requests?
> >
> > Any help would be appreciated.
> > Harry
> > ===========================
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message