welcome to my space

03/16/2010 (4:35 am)

Yet another Apache-outpost issue

Filed under: nappedeptrole.com edit
  • Hi all,

    I've just installed outpost (the last availab. download yesterday, 2.1.xxx), (i used previously kerio but some friend recommended me agnitum) and I spent last nite troubleshooting the rules. Everything seems to be working well except for the web server. I read a lot of threads concerning the apache rules, I tried to tweak alot apache + svchost + system rules but until now, no work.. :(

    What I did :
    - apache is tcp/inbound/http - allow it ( the same for the apache monitor even i'm not sure i really have to do this one)
    - for svchost i allow only the following:
    --- UDP/remote DNS ip/remote DNS port/local DNS port
    --- tcp/inbound/http (this was my idea, but i do block the other inbound tcp with a rule like this: TCP/in - block it)
    --- tcp/out/remote DNS host/remote port DOMAIN/local port DOMAIN

    for the system rules I left them default as i never read that i should change them. actually i added a new one hoping that apache will work : allow TCP/in/http

    Last, the ICMP settings I have only checked both(in & out) the following types : 0, 3, 8, 11, that is echo reply, dest unreachable, echo request and time exceeded for a datagram respectively.

    on the other hand i can't even ping my http server! Though I am able to do everything with firewall disabled!

    About the logs that i got when trying to ping/http apache i get tons of "packet to closed port" involving application "SYSTEM" protocol "UDP" and "TCP" with various remote and local ports for ex:
    =================
    remote local
    =================
    UDP 8975 3247
    UDP 3525 3247
    TCP 2420 4662
    UDP 10847 3247
    UDP 7332 3247
    UDP 3612 3247
    UDP 3350 3247
    UDP 10300 3247
    UDP 3412 3247
    UDP 3350 3247
    UDP 8466 3247
    UDP 3302 3251
    TCP 3567 AUTH
    UDP 5728 3247
    TCP 1534 4662
    UDP 1093 3251
    UDP 3520 3251
    UDP 6788 3247
    UDP 1361 3251
    TCP 3235 AUTH

    Also i'm using xp pro, and webserver gets dyndns name resolution (cause i have dynamic ip)

    What am I missing here?!

    I would very much appreciate any feedback.
    Thany you,
    vbx


  • Those blocked entries - were they actually for Apache? If so then try creating a rule to cover them (e.g. UDP on local port 3247) - it should not need this normally but you may have configured it in a fashion that requires it.

    Aside from that, are you sure that Apache itself is configured and working properly? (can you for instance browse a web page held locally).


  • I finally solved the issue stopping the dns cache plugin. And also the firewall seems to run much faster!


  • Welcome to the forums Vbx,

    Rules for incoming traffic must specify a local port, not a remote port (HTTP in this case). Since you have not specified this, could you please confirm that you have used a local port?

    Your DNS rule (since it is presumably covering outgoing traffic - you did not mention if this server was acting as a DNS server also) should just specify a remote port. If you wish to handle incoming DNS queries also, create a separate rule specifying a local port. Specifying both will cause DNS to be blocked since either the local port (for outgoing) or remote port (for incoming) will be dynamically assigned. This also applies to the DOMAIN rule you have created for svchost (you could probably do without this though).

    As for ICMP, allowing incoming echo requests and outgoing echo replies is needed to make your server pingable. Please check that you have allowed both of these.


  • Thank you very much for your reply, Paranoid2000!

    Yes, the incoming http port is always local and is allowed.
    I don't have a dns server, and I did what you told me to concerning dns rules (in svchost and system), I only specified local port for both incoming/outgoing traffic.

    As for ICMP i allow both in/out echo requests and echo replies.

    But still no work!!

    Is there anything else left to try?

    When I try the localhost it works but the page always loads without images --it's about a php cms, i mean, the ie status bar reads at some time "loading image xxx" but then stops after a while.
    Also can't ping the http server by name nor by ip address...


  • update:

    http server doesn't work even in disabled mode!! the same for ping,tracert!


  • If you made rules changes while Apache had active network connections, this may have resulted in a delay before the new rules being applied. Aside from that, I can't see any other cause.


  • Hello vbx,

    Thank you for posting back and letting us know what you found that fixed your problem.


  • I `ve already tried to give it access to different protocols/ports but as soon as I open one it will keep saying that it needs another and another...so i just gave up to this option yesterday nite.

    Now, the interesting thing is, after a couple of policy changes (disabled, allow most, block all, etc, I turned it back on wiz rules and the webserver works except for the php pages!!! (NO OTHER CHANGE). the ping works too.

    whatta do next?

    Many thanx, Paranoid!







    • #If you have any other info about this subject , Please add it free.#
    Your name:
    E-mail:
    Telphone:

    Your comments:


    If you have any other info about Yet another Apache-outpost issue , Please add it free.