Skip to main content
Unix & Linux

Return to Question

added 10 characters in body
Source Link
Jomy
Jomy
  • 121
  • 6
$ curl localhost<server-ip-address>
hello

$ curl localhost
hello

$ curl <server-ip-address>
hello
added 6 characters in body
Source Link
Jomy
Jomy
  • 121
  • 6
## Set public interface ##
ext_if = "vtnet0"

## Set server public IP address
ext_if_ip = "188.245.147.4""<server-ip-address>"

## Set and drop IP ranges on public interface ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }"

## Set http (80) and https (443) ports ##
webports = "{http, https}"

## enable services ##
int_tcp_services = "{domain, ntp, smtp, www, https, ftp, ssh}"
int_udp_services = "{domain, ntp}"

## Skip loop back interface ##
set skip on lo

## Sets the interface for which PF should gather statistics such as bytes in/o
set loginterface $ext_if

## Set default policy ##
block return in log all
block out all

# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians

## Blocking spoofed packets
antispoof quick for $ext_if
 
# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
# I do not allow or accept ssh traffic from ALL for security reasons
#pass in quick on $ext_if inet proto tcp from 192.168.0.253 to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 192.168.0.253"
# OR
# Allow SSH from any IP address
pass in inet proto tcp to $ext_if port ssh

# Allow Ping-Pong stuff. Be a good sysadmin
pass inet proto icmp icmp-type echoreq

# All access to our Nginx/Apache/Lighttpd Webserver ports
pass proto tcp from any to $ext_if port $webports

# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services

## Set public interface ##
ext_if = "vtnet0"

## Set server public IP address
ext_if_ip = "188.245.147.4"

## Set and drop IP ranges on public interface ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }"

## Set http (80) and https (443) ports ##
webports = "{http, https}"

## enable services ##
int_tcp_services = "{domain, ntp, smtp, www, https, ftp, ssh}"
int_udp_services = "{domain, ntp}"

## Skip loop back interface ##
set skip on lo

## Sets the interface for which PF should gather statistics such as bytes in/o
set loginterface $ext_if

## Set default policy ##
block return in log all
block out all

# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians

## Blocking spoofed packets
antispoof quick for $ext_if
 
# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
# I do not allow or accept ssh traffic from ALL for security reasons
#pass in quick on $ext_if inet proto tcp from 192.168.0.253 to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 192.168.0.253"
# OR
# Allow SSH from any IP address
pass in inet proto tcp to $ext_if port ssh

# Allow Ping-Pong stuff. Be a good sysadmin
pass inet proto icmp icmp-type echoreq

# All access to our Nginx/Apache/Lighttpd Webserver ports
pass proto tcp from any to $ext_if port $webports

# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services

## Set public interface ##
ext_if = "vtnet0"

## Set server public IP address
ext_if_ip = "<server-ip-address>"

## Set and drop IP ranges on public interface ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }"

## Set http (80) and https (443) ports ##
webports = "{http, https}"

## enable services ##
int_tcp_services = "{domain, ntp, smtp, www, https, ftp, ssh}"
int_udp_services = "{domain, ntp}"

## Skip loop back interface ##
set skip on lo

## Sets the interface for which PF should gather statistics such as bytes in/o
set loginterface $ext_if

## Set default policy ##
block return in log all
block out all

# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians

## Blocking spoofed packets
antispoof quick for $ext_if

# Allow SSH from any IP address
pass in inet proto tcp to $ext_if port ssh

# Allow Ping-Pong stuff. Be a good sysadmin
pass inet proto icmp icmp-type echoreq

# All access to our Nginx/Apache/Lighttpd Webserver ports
pass proto tcp from any to $ext_if port $webports

# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
Source Link
Jomy
Jomy
  • 121
  • 6

"Couldn't connect to server" outside of the server

I have a VPS instance running FreeBSD. I started a simple web server on port 80.

When I am ssh'd into the server, I can reach the server:

$ curl localhost
hello

However, when I try to connect on my own device:

$ curl http://<server-ip-address>
curl: (28) Failed to connect to <server-ip-address> port 80 after 8710 ms: Couldn't connect to server

I have searched on how to fix it, but have thusfar not been able to solve it.

Here's some information that might be useful:

  • Running ifconfig vtnet0 returns inet <server-ip-address>
  • This IP address is the same address as my VPS provides shows in the server management tool
  • My firewall (using pf) (pf.conf):
## Set public interface ##
ext_if = "vtnet0"

## Set server public IP address
ext_if_ip = "188.245.147.4"

## Set and drop IP ranges on public interface ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }"

## Set http (80) and https (443) ports ##
webports = "{http, https}"

## enable services ##
int_tcp_services = "{domain, ntp, smtp, www, https, ftp, ssh}"
int_udp_services = "{domain, ntp}"

## Skip loop back interface ##
set skip on lo

## Sets the interface for which PF should gather statistics such as bytes in/o
set loginterface $ext_if

## Set default policy ##
block return in log all
block out all

# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians

## Blocking spoofed packets
antispoof quick for $ext_if

# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
# I do not allow or accept ssh traffic from ALL for security reasons
#pass in quick on $ext_if inet proto tcp from 192.168.0.253 to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 192.168.0.253"
# OR
# Allow SSH from any IP address
pass in inet proto tcp to $ext_if port ssh

# Allow Ping-Pong stuff. Be a good sysadmin
pass inet proto icmp icmp-type echoreq

# All access to our Nginx/Apache/Lighttpd Webserver ports
pass proto tcp from any to $ext_if port $webports

# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
  • Last 2 entries of tcpdum -n -e -ttt -r /var/log/pflog
 00:01:06.020635 rule 0/0(match): block in on vtnet0: <some-ip-address (not mine)> > <server-ip-address>: Flags [S], seq 3213013147, win 64240, options [mss 1460, [|tcp]
 00:02:17.580326 rule 0/0(match): block in on vtnet0: <some-ip-address (not mine)> > <server-ip-address>: Flags [S], seq 3170210564, win 65535, length 0

Any help is much appreciated as I've hit a roadblock on trying to fix this.