Nethserver ignores Portforwarding

v7
firewall

(Till) #1

NethServer Version: NethServer release 7.3.1611

Hi,

I have noticed that my nethserver ignores port forwardings after a certain time.
For example: I have set up a port forwarding for my own cloud (ports 80 and 443). This is deactivated after an indefinite period of time and no longer works.
Only after deactivating and reactivating the rule works again. Is it possible that this is caused by a bug in the firewall?

Or maybe that has something to do with my other rules?

Are there any logs where i can see what happend?

As info: I had to disable the httpd (HTTP) function of the nethserver due to the above rule:

thanks in advance


(Jose G Jimenez S ) #2

Hi @prostream , how are you? I don’t see you redirecting, you’re using the same port for origin and destination.


(Till) #3

Hi @jgjimenezs thank you i´m fine what about you? :slight_smile:

I just want to open the ports 80 and 443 to my owncloud host which is reachable at 192.168.177.124 in my LAN.

Thats the Firewall object “host”:


(Jose G Jimenez S ) #4

I can understand is that you created a rule that uses port 80 and port 443 for both input and output for the same host.

@prostream Is your server isolated from nethserver?


(Till) #5

The nethserver and the owncloud is running on the same hypervisor but of course in different VMs. Hypervisor is Proxmox.


(André Wismer) #6

@prostream

Hi

One idea would be forwarding Port 80 with a reverse proxy on the NethServer, that would allow you to also access services on the NethServer running on port 80.

SSL or Port 443 offers a few possibilities. I’m using it such that the server behind the NethServer does not provide SSL, only Port 80. The NethServer “listens” to Port 443 and provides the SSL encapuslation (Using LetsEncrypt).
My concrete use is a Zabbix Monitoring server (also on ProxMox). The NethServer isn’t the firewall - we have a hardware firewall here - but is using Ports 80 and 443. So I use the reverse proxy in NethServer to forward /zabbix to the Zabbix server - unencrypted.They are both running on the same hypervisor, so packets don’t leave the host.
This is very stable - the only drawback at the moment is I can’t “draw” a map in Zabbix using a reverse proxy. This still needs a direct IP or VPN connection to work.

The client sees a valid encrypted SSL page and access from Internet is encrypted. 'nuff security for a home environment…

Such a scenario would NOT work if the server behind also uses advanced security like eg a Mac Server using SSL and Kerberos…

I do use NethServer, running as a firewall. in another case to forward ARD and VNC (Apple Remote Desktop) to access a Mac Mini behind the NethServer Firewall. This is working stable - but does not deal with ports 80 / 443…

My 2 cents
Andy


(Markus Neuberger) #7

Hi @prostream,

I tried it with SSH now and I could forward port 22 to another server without stopping the SSH service.
Did you disable the httpd service? In your screenshot it’s just stopped. After a reboot the httpd service will run again.


(Till) #8

Hi @mrmarkuz,

that could be the problem. How can i disable the httpd service? I know how to stop it but not how to disable it.


(Marc) #9

I think it can be done with:

config setprop httpd status disabled
signal-event nethserver-httpd-save

(Till) #10

@dnutan Thank you! Hope that works after next reboot or reload!


(Filippo Carletti) #11

There’s no need to stop httpd to forward port 80 (as for any service).
Technically, port forwards are in the pre-routing chain, so forwarded traffic will never reach httpd.

You can keep httpd active and reach it using another port forward such as:
port 8080 to localhost 80


(Jose G Jimenez S ) #12

is what I tried to say, it’s not using a forwarding, it’s just addressing between ports.


(Joel Clendineng) #13

Basically 80 lands you on the ns landing page, of if you have a site up, you need to either do what filippo said or use a reverse proxy. I personally use a reverse proxy for sites hosted outside my gateway, but I have, as an example, plex running on another host but use a portforward to direct 1234 to 1234, i think your issue is 80/443 is in use already with another service (httpd)