# Allow HTTP traffic to a LAN PC through IPFW



## hoanghaicv (Jun 6, 2013)

Dear all,

I have a question, hope anybody can help me! My network schema is fairly simple: 

```
Internet -> Load balancer (use pfSense) -> FreeBSD (bridge filter) -> LAN
```
From external (internet) I want access to a PC in my LAN by web (HTTP). I configured forward inbound port 80 on the load balancer to that PC already. But I don't know how to allow this traffic on FreeBSD.

Here are some of rules on my ipfw.rules file:


```
# Variables
fwcmd="/sbin/ipfw"		# IPFW command
iif="rl0"			# Internal network interface (if) (tags 1)
eif="rl1"			# External network interface (if) (tags 2)
lif="lo0"			# Local network interface
bif="bridge0"			# Bridge virtual network interface
subnet="192.168.2"		# The wired subnet

# Allow all the previously allowed traffic (outgoing)
${fwcmd} add allow tagged 1 out via ${eif}				# INT->EXT
${fwcmd} add allow tagged 2 out via ${iif}				# EXT->INT

# Filters for INT->EXT direction
${fwcmd} ...		# deny subnet
${fwcmd} ...		# deny RFC 1918
${fwcmd} add allow tag 1 ip from ${subnet}.5 to any via ${iif}		# server
${fwcmd} add allow tag 1 ip from ${subnet}.128/25 to any via ${iif}	# network

# Filters for EXT->INT direction
${fwcmd} ...		# deny subnet
${fwcmd} ...		# deny RFC 1918
${fwcmd} add allow tag 2 ip from any to ${subnet}.128/25 via ${eif}	# allow internet (network)
${fwcmd} add allow tag 2 ip from any to ${subnet}.5 via ${eif}		# allow internet (server)

# End of local and direction filters
${fwcmd} add skipto 65534 all from any to any not via ${bif}

# Bridge filters (content filters)
${fwcmd} add check-state via ${bif}					# check for dynamic rules
${fwcmd} add deny ip from ${subnet}.0/24 to ${subnet}.0/24 via ${bif}	# deny subnet
${fwcmd} add allow tcp from ${subnet}.128/25 to any setup keep-state via ${bif} # allow TCP internet (network)
${fwcmd} add allow udp from ${subnet}.128/25 to any keep-state via ${bif} # allow UDP internet (network)
${fwcmd} add allow tcp from ${subnet}.5 to any setup keep-state via ${bif} # allow TCP internet (sibserver1)
${fwcmd} add allow udp from ${subnet}.5 to any keep-state via ${bif}	# allow UDP internet (sibserver1)
${fwcmd} add allow icmp from ${subnet}.128/25 to any icmptypes 8,30 via ${bif} # allow ping and traceroutes to internet from network
${fwcmd} add allow icmp from any to ${subnet}.128/25 icmptypes 0,3 via ${bif} # allow ping and traceroutes replies from internet to network
```

Here is my code used to allow HTTP traffic through this firewall. I insert this code below line 
	
	



```
# Filters for EXT->INT direction
```


```
${fwcmd} add allow tag 2 ip from any to ${subnet}.200 via ${eif}
```

And this line in bridge filters:

```
${fwcmd} add allow tcp from any to ${subnet}.200 setup dst-port 80 keep-state via ${bif}
```

But it does not work 

I know this code is wrong, pls please help me to figure out this issue?

PS: I'm a newbie and English is a foreign language. 

Many thanks!
Hai Hoang


----------

