Topic: another firewall question

[kruhm]

I have a new program on some of my clients that connects on port 80. I can't get it to go through the firewall.

It needs "unrestricted bi-directional access on Port 80"

Can anyone help me track down the problem?

[cc_skavenger]

Sounds like the machine(s) need to have public (static) IP entries.  Putting them behind any firewall is not going to be easy.  Is is only one machine or several?  If one, you could use a hardware router and port forward port 80 to it.  If several, you will need that many public IPs from your provider.  Being behind a SME server sounds like it will never work...

1:1 nat would not work because you can only forward port 80 to one private IP....

sorry

[kruhm]

If i use a router and put sme to server-only, the client applications have no problem.

putting the sme to server-gateway causes the client applications to time out.

all outgoing communication should be open by default, so i'm not concerned there. but possibly some type of incoming communication is being blocked.

i've turned on firewall logging and checked the messages log but couldn't find anything too exciting. i was hoping for an easy fix.

i'll pay for any fixes.

[cc_skavenger]

with the system behind SME, you have to remember that Apache is answering all requests on port 80.  One possible solution is to disable apache, but this would kill the server manager also .

Are you sure that the only port needed is port 80?  I am wondering if there is some udp / special protocol that might be needed like vpn pass-thru or such.

Anyway,
It sounds like you have a solution, just not one you are happy with, which is understandable.  Just curious, what are the disadvantages of setting up the network like you stated?  Are they really using the web-server function of the server?

[kruhm]

Are you sure that the only port needed is port 80? I am wondering if there is some udp / special protocol that might be needed like vpn pass-thru or such.

yes, only port 80. however it may use udp on port 80. i don't know if that is blocked or needed.

Just curious, what are the disadvantages of setting up the network like you stated?

they are using the email server mostly. because of viruses, they need to proxy all outgoing emails. this is only possible when sme is set as server/gateway.

one possibility is that i left the router in place when i set it to server/gateway & forwarded all ports to the sme. it's possible the traffic can't get through the 'double firewall.' I'll have to test and see.

another possibility is that i put both ports (internal & external) on the same network (192.168.0). In my experience, some routers don't like this and need the ports to be on different networks (ie, one on 192.168.0 and the other on 192.168.1).

i won't be able to test until the weekend (or maybe late tonight).

[CharlieBrady]

I have a new program on some of my clients that connects on port 80.

Please be more specific about what you mean by "connects on port 80". Do you mean, connects to outside hosts using TCP on destination port 80? If so, that's just what a web browser does.

I can't get it to go through the firewall.

Do you have direct evidence that the firewall on the SME server is the problem? You'll know by finding log messages indicating blocked packets.

It needs "unrestricted bi-directional access on Port 80"

That's not a good enough description. UDP or TCP? Inbound or outbound? Source port number or destination port number?

It might help if you named the program you're having problems with.

[kruhm]

thanks for the help. The problem was the second option. Having the external and internal on the same network id blocked some traffic. I kept the external to 192.168.0 and changed the internal to 192.168.100

it makes sense now but when you're in the mist of the situation it's more difficult.