next »

[nutballs]

Any ideas why I cannot seem to connect from a webserver to itself from the shell using wget or anything else?

I am behind a PFsense firewall, but afterall, port 80 is open? outbound is set to auto/all.

Is there something on the server (ubuntu 7.04) that could prevent self connecting?
the apache conf is set for any ip, so even if it was trying on 127.0.0.1 it should connect.

right now, i am using my site monitor service to hit my page that should be getting exec'd by cron. (i cant do CLIphp for this particular thingy).

thoughts?

[perkiset]

I don't see what the firewall would have to do with it at all ... you're saying that if you wget on the machine where Apache is, you can't touch port 80?

So if you do it manually from a shell it works, but if you fire it via PHP it doesn't?

If it works manually but not from PHP, have you done a shell_exec and echo'd out what the shell tells you? Is there an error message?

Does the Apache access_log show that it's been touched and did (something) with the packet?

Is there a firewall or portmap running on the machine itself? That's a common problem as well...

[nutballs]

I wasnt complete enough in my explanation or didnt fully understand the problem.

none of my WAN ips can be pinged.

I now know that its a VirtualIP issue. I have a pinhole and nat to handle webtraffic, which is why everything works for hitting a website on the server from WAN.
You cannot ping it however. like if you try pinging 4sp.in it will never answer.

but what I cannot figure out is why i can surf 4sp.in from anywhere on the internets, but I cannot from on the actual webserver itself.
So if I ssh into my webserver and type: "wget http://4sp.in" it just hangs and never actually connects.

wget http://4sp.in
--10:11:24--  http://4sp.in/
           => `index.html'
Resolving 4sp.in... 216.19.200.36
Connecting to 4sp.in|216.19.200.36|:80...

It gets the correct IP 216.19.200.36 so its not DNS.
Its got to be the firewall blocking it. Buy WHY? It will let YOU, from outside the network, surf it, so why the hell no me? lol
I know there is a little checkbox somewhere in PF that is labeled, "FU"

[nutballs]

M*th3r F@ck#R!!!!!!!!!!!!!!!!!!

i HATE checkboxes.

Checkbox under
System->advanced
Disable NAT Reflection. Disables the automatic creation of NAT redirect rules for access to your public IP addresses from within your internal networks. Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports.

So why in the hell is this on by default? I get why it exists, to prevent LAN from burning WAN bandwidth in a more complex setup, but frankly, this should NOT be one by default. Very few networks actually run an internal DNS for directing WAN domains to LAN ips without hitting WAN.

[perkiset]

is that pfSense or something *nix? I've never seen that.

Nice pix, BTW.

[nutballs]

pfsense.

though its a standard firewall/router capability im pretty sure. basically, NAT is generally so the outside world can get to a specific computer for a specific port(s), right. So reflection, is to allow that NAT to happen for an internal request, via an external IP.

Its not like the traffic actually ever leaves the router in this case.

So server1 wants to access a webpage on server2 by domainname since everything is hostheaders and IPs are no go.
Server1 says, wget somedomainonserver2.com
that goes to the router on the LAN interface.
Router says, hmm, me not know this domain since it not in my hosts... me go check tubes.
Router DNSs the WAN (or local cache).
Gets back IP of its own WAN interface and says, hmm this internal on LAN.
Oh wait there is no LAN nat, only outbound?
Me not know what to do with you. Me go have coffee now.

Reflection, "mirrors" the WAN rules for LAN traffic.

I assume this is for more stringent security, to prevent spoofing bridges or something like that.

[nutballs]

OR not. now internal requests cannot reach external sites. LOL

[raptor]

I know this is reviving an old thread, but did you ever figure it out? I am having a similar problem and it's really pissing me off.

[perkiset]

He did ... Ill ping him to post it

[danialpaul1]

dude be chill & relax, let's start your task once again, I just wanted to say that do all but with patience !!

[perkiset]

Worst. Bot. Ever.