[TriLUG] Apache innaccessible from outside of home router
Matt Frye
mattfrye at gmail.com
Mon Aug 23 16:01:11 EDT 2004
Ditto re TriLUG account. You have to have a third place to test from,
otherwise you can't isolate the problem. Re firewalls, yes, it is
common and a function of policy. However, as Jeremy Portzer once
pointed out, mailicious web sites could just as easily use port 80,
(or 443 for that matter) and there plenty of legitimate apps that use
non-80 ports.
MPF
On Mon, 23 Aug 2004 13:17:13 -0400, Ken Mink <kmtrilug at nc.rr.com> wrote:
> This type of a firewall setup is actually fairly common in
> corporations. It is used to try to slow down trojans and mail relays.
> Usually all traffic but 80 and 443 is blocked and they go through a
> proxy.
>
> When I am monkeying with my Apache setup, I like to use my TriLUG shell
> account as test point. The network setup is a known and very
> stable(thanks guys), but outside both my home network and my work
> network. Perfect place to test from.
>
> Ken
>
>
>
> On Aug 23, 2004, at 10:53 AM, Matt Frye wrote:
>
> > You might want to check whether the LAN of the PC outside your network
> > even allows non-80 ports to be accessed. I've seen at least two cases
> > where someone was trying to access a page on their home web server
> > from their work PC and found out later that their company's firewall
> > was dropping or disallowing all non-port-80 httpd requests.
> >
> > Matt Frye
> >
> > On Mon, 23 Aug 2004 10:08:30 -0400, Jeff Groves <jgroves at krenim.org>
> > wrote:
> >> Victor Snesarev wrote:
> >>
> >>> I know this subject has been discussed to death on the net, but
> >>> nothing
> >>> I was able to google up helped.
> >>>
> >>> Here's the network:
> >>>
> >>> ---[CableModem]---[d-link 713p router]---[PC IP=196.168.0.122]
> >>>
> >>>
> >>> PC running FC2 Linux 2.6.5-1.358 and Apache 2.0.49.
> >>>
> >>> I can reach the sample Apache page from a different computer on the
> >>> same
> >>> 196.168.0.xxx subnet, but cannot reach it from the outside world
> >>> using
> >>> the router's IP address.
> >>>
> >>> httpd.conf is set up to "Listen 8888" and port 8888 is forwarded to
> >>> 196.168.0.122 by the router.
> >>>
> >>> In fact, I know that outside requests reach the PC because Ethereal
> >>> shows a short TCP session when I try to reach the PC from outside the
> >>> router. I compared it to the TCP session from the local home LAN and
> >>> saw
> >>> something odd. The TCP handshake from the outside connection looks
> >>> like
> >>> this:
> >>>
> >>> Router-to-PC SYN
> >>> PC-to-Router SYN,ACK
> >>> Router-to-PC RST (terminate)
> >>>
> >>> A handshake from a local LAN PC completes fine and Apache serves the
> >>> page.
> >>>
> >>> This almost points to the router, but I am not sure where to go from
> >>> here.
> >>>
> >>> Just for reference, I am not running iptables or ipchains (I don't
> >>> think
> >>> it's even installed) on the Linux box. Apache access_log and
> >>> error_log
> >>> do not show any events associated with a connection attempt from
> >>> outside
> >>> the local LAN.
> >>>
> >>> Any ideas?
> >>>
> >>> -Victor
> >>>
> >>>
> >> The only thing that I can think of (and it's pretty unlikely at best)
> >> is
> >> that you may have some entry /etc/hosts.deny file that is preventing
> >> the
> >> connection.
> >>
> >> Jeff G.
> >>
> >>
> >>
> >> --
> >> TriLUG mailing list :
> >> http://www.trilug.org/mailman/listinfo/trilug
> >> TriLUG Organizational FAQ : http://trilug.org/faq/
> >> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >> TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
> >>
> > --
> > TriLUG mailing list :
> > http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ : http://trilug.org/faq/
> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> > TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
> >
> >
> ---------------------------------------------
> "They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety."--Benjamin Franklin
> " 'Necessity' is the plea for every infringement of human liberty; it
> is the argument of tyrants; it is the creed of slaves."--William Pitt
>
>
>
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
>
More information about the TriLUG
mailing list