The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 20, 2019, 11:41:47 AM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: Webserver cant talk to itself via wget/lynx/curl  (Read 6707 times)
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« on: December 10, 2009, 11:46:59 PM »

Any ideas why I cannot seem to connect from a webserver to itself from the shell using wget or anything else?

I am behind a PFsense firewall, but afterall, port 80 is open? outbound is set to auto/all.

Is there something on the server (ubuntu 7.04) that could prevent self connecting?
the apache conf is set for any ip, so even if it was trying on 127.0.0.1 it should connect.

right now, i am using my site monitor service to hit my page that should be getting exec'd by cron. (i cant do CLIphp for this particular thingy).

thoughts?
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #1 on: December 11, 2009, 09:47:42 AM »

I don't see what the firewall would have to do with it at all ... you're saying that if you wget on the machine where Apache is, you can't touch port 80?

So if you do it manually from a shell it works, but if you fire it via PHP it doesn't?

If it works manually but not from PHP, have you done a shell_exec and echo'd out what the shell tells you? Is there an error message?

Does the Apache access_log show that it's been touched and did (something) with the packet?

Is there a firewall or portmap running on the machine itself? That's a common problem as well...
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #2 on: December 11, 2009, 10:12:10 AM »

I wasnt complete enough in my explanation or didnt fully understand the problem.

none of my WAN ips can be pinged.

I now know that its a VirtualIP issue. I have a pinhole and nat to handle webtraffic, which is why everything works for hitting a website on the server from WAN.
You cannot ping it however. like if you try pinging 4sp.in it will never answer.

but what I cannot figure out is why i can surf 4sp.in from anywhere on the internets, but I cannot from on the actual webserver itself.
So if I ssh into my webserver and type: "wget http://4sp.in" it just hangs and never actually connects.
Quote
wget http://4sp.in
--10:11:24--  http://4sp.in/
           => `index.html'
Resolving 4sp.in... 216.19.200.36
Connecting to 4sp.in|216.19.200.36|:80...
It gets the correct IP 216.19.200.36 so its not DNS.
Its got to be the firewall blocking it. Buy WHY? It will let YOU, from outside the network, surf it, so why the hell no me? lol
I know there is a little checkbox somewhere in PF that is labeled, "FU"
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #3 on: December 11, 2009, 10:49:25 AM »

M*th3r F@ck#R!!!!!!!!!!!!!!!!!!

i HATE checkboxes.

Checkbox under
System->advanced
Disable NAT Reflection. Disables the automatic creation of NAT redirect rules for access to your public IP addresses from within your internal networks. Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports.

So why in the hell is this on by default? I get why it exists, to prevent LAN from burning WAN bandwidth in a more complex setup, but frankly, this should NOT be one by default. Very few networks actually run an internal DNS for directing WAN domains to LAN ips without hitting WAN.

Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #4 on: December 11, 2009, 10:51:39 AM »

is that pfSense or something *nix? I've never seen that.

Nice pix, BTW.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #5 on: December 11, 2009, 11:07:07 AM »

pfsense.

though its a standard firewall/router capability im pretty sure. basically, NAT is generally so the outside world can get to a specific computer for a specific port(s), right. So reflection, is to allow that NAT to happen for an internal request, via an external IP.

Its not like the traffic actually ever leaves the router in this case.

So server1 wants to access a webpage on server2 by domainname since everything is hostheaders and IPs are no go.
Server1 says, wget somedomainonserver2.com
that goes to the router on the LAN interface.
Router says, hmm, me not know this domain since it not in my hosts... me go check tubes.
Router DNSs the WAN (or local cache).
Gets back IP of its own WAN interface and says, hmm this internal on LAN.
Oh wait there is no LAN nat, only outbound?
Me not know what to do with you. Me go have coffee now.

Reflection, "mirrors" the WAN rules for LAN traffic.

I assume this is for more stringent security, to prevent spoofing bridges or something like that.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #6 on: December 11, 2009, 11:20:42 AM »

OR not. now internal requests cannot reach external sites. LOL
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
raptor
n00b
*
Offline Offline

Posts: 1


View Profile
« Reply #7 on: April 20, 2010, 12:02:33 PM »

I know this is reviving an old thread, but did you ever figure it out? I am having a similar problem and it's really pissing me off.
Logged

No links in signatures please
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #8 on: April 20, 2010, 12:43:37 PM »

He did ... Ill ping him to post it
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
danialpaul1
n00b
*
Offline Offline

Posts: 1


View Profile
« Reply #9 on: November 06, 2011, 10:04:49 AM »

dude be chill & relax, let's start your task once again, I just wanted to say that do all but with patience !!
Logged

From Danial Paul,
idol lash | ab glider
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #10 on: November 06, 2011, 01:31:23 PM »

Worst. Bot. Ever.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!