# Domain on dynamic IP



## gpatrick (Sep 23, 2010)

My domain is registered with namecheap and I have Cox as my ISP with a dynamic IP.  Cox blocks port 80 so I have a redirect on my firewall for 8888 -> 80.  Next in line is a Pound reverse proxy listening on port 80 and redirects to the Web server listening on port 8080 on a different server.

I can access the domain from inside my LAN using the domainname and port (http://www.example.com:8888) and I get a return of my test web page. When I use the DMZ IP (NAT'd) of the web server I get a page return. 

An nslookup returns the correct IP of the domain which is my dynamic IP.

When I try to access the domain externally from outside my LAN, I fail to return the page.

I used to have this working on OpenSolaris with Zones using nginx as a reverse proxy and Apache as the Web server and used IPFilter.  Now I've switched to PF and Pound using a FreeBSD host with VirtualBox hosting the proxy and web server as guests.

What am I missing?

This is my pf.conf

```
# Macros
ext_if="axe0"
prv_if="axe1"
dmz_if="axe2"

# prv_hosts -- the list of addresses of hosts on the
#	       screened LAN
prv_hosts = "{192.168.1.10, 192.168.1.15}"

# dmz_hosts -- the list of addresses of hosts in the
#	       DMZ
dmz_hosts = "{192.168.2.21/32, 192.168.2.22/32, 192.168.2.23/32}"

# dmz_www -- the address of the WWW server in the DMZ
dmz_www = "192.168.2.21/32"

# dmz_smtp -- the address of the SMTP server in the DMZ
dmz_smtp = "192.168.2.22/32"

# dmz_dns -- the address of the DNS server in the DMZ
dmz_dns = "192.168.2.23/32"

# Tables
table <rfc1918> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }
table <bruteforce> persist 

# Options
set require-order yes
set block-policy drop
set optimization normal
set loginterface $ext_if
set fingerprints "/etc/pf.os"
set ruleset-optimization none
set state-policy if-bound
set timeout { frag 30, tcp.established 120 }
set timeout { tcp.first 30, tcp.closing 30, tcp.closed 30, tcp.finwait 30 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }

# Translate packets
# nat for the private hosts
nat on $ext_if inet from $prv_hosts to any -> ($ext_if)

# nat for the dmz hosts
nat on $ext_if inet from $dmz_hosts to any -> ($ext_if)

# redirect connections to port 80 (HTTP) to DMZ
rdr on $ext_if inet proto tcp from any to ($ext_if) port 8888 -> $dmz_www port 80
rdr on $prv_if proto tcp from $prv_hosts to ($ext_if) port 8888 -> $dmz_www port 80

# redirect connections to port 25 (SMTP) to DMZ
rdr on $ext_if inet proto tcp from any to ($ext_if) port 25 -> $dmz_smtp

# redirect connections to port 53 (DNS) to DMZ
rdr on $ext_if inet proto {tcp, udp} from any to ($ext_if) port 53 -> $dmz_dns

# Normalize packets
match in all scrub (no-df random-id max-mss 1440 reassemble tcp)
match out all scrub (no-df random-id)

# Filter packets
# block all incoming connections sent from the outside
# log all blocked packets
block log all
pass quick on lo0 all
block drop in quick on $ext_if from <bruteforce>
block in quick on $ext_if from <rfc1918> to any
block out quick on $ext_if from any to <rfc1918> 
block in quick on $ext_if inet from any to 255.255.255.255
block in log quick on $ext_if inet from urpf-failed to any
block in log quick on $ext_if inet from no-route to any

# Block anything coming from source we have no back routes for
block in log quick from no-route to any

# Anti-fake return scans
block return-rst out on $ext_if proto tcp all
block return-rst  in on $ext_if proto tcp all
block return-icmp out on $ext_if proto udp all
block return-icmp  in on $ext_if proto udp all

# Block and log outgoing packets that don't have our address as source,
# they are either spoofed or something is misconfigured. NAT disabled,
# (for instance), we want to be nice and don't send out garbage.
block out log quick on $ext_if from ! $ext_if to any

# Block nmap os detection scans  
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SF

# special rule for ssh
pass in on $ext_if proto tcp from any to ($ext_if) port ssh flags S/SA keep state (max-src-conn 1, max-src-conn-rate 3/5, overload <bruteforce> flush global)

# pass all connections originating from the firewall
pass out quick on $ext_if inet from ($ext_if) to any flags S/SA modulate state

# pass all connections originating from the screened LAN
pass in quick on $prv_if from $prv_hosts to any flags S/SA

# pass all connections originating from the DMZ
pass in quick on $dmz_if from $dmz_hosts to any flags S/SA
pass quick on $dmz_if from $prv_hosts to any flags S/SA

# pass all connections to the WWW host in the DMZ
pass in on $ext_if proto tcp from any to $dmz_www port 80 flags S/SA synproxy state 

#pass all connections to the SMTP host in the DMZ
pass in on $ext_if proto tcp from any to $dmz_smtp port 25 flags S/SA synproxy state

# pass all connections to the DNS host in the DMZ
pass in on $ext_if inet proto {tcp, udp} from any to $dmz_dns port 53 flags S/SA keep state

# antispoof rules to block spoofed packets
antispoof log quick for ($ext_if)
antispoof log quick for $prv_if
antispoof log quick for $dmz_if
antispoof log quick for lo0
```
*I know I can change the antispoof rule*


----------



## Sunsyril (Sep 28, 2010)

Hi, 
from inside nslookup return the correct IP, does it return the correct IP if you try it from outside?
Did you try to sniffer the packets to see whats going on? Are you able to ping the hosts from outside? Perhaps you need to reconfigure your firewall to allow ICMP for this test.


----------

