All web traffic suddenly being redirected to internal web server

evp

Hi I have a pfs 1.2.3 box that has been running for 2 months without a glitch. Today however all our web traffic is being redirected to and served  our internal cpanel webserver. As a result all pages show up with the cpanel/apache default page. Nothing has changed on the box except for adding a block rule to a tawain ip subnet this morning (brute force ssh attempt). I have since removed the firewall rule and still
no luck.

Here is my network setup:

adsl>>>>>modem(192.168.1.1)>>>>PFS-Wan (192.168.1.2)

PFS-lan  (10.10.11.0/24)

PFS-OPT2(10.0.0.0/24)>>>>>cpanel www server(10.0.0.116)

Any ideas on what is going on?

Is it possible that the attempted hacker was succesfull and modify my box?

GruensFroeschli

I bet you have as "external address" in your NAT rule to forwards traffic to your server "any".
(It should be the external address and NOT any).

evp

Hi thanks for your help. I'm a little confused on to your suggestion. Can you please elaborate.

Thanks again

Eugene

What nat rules do you have? Can you give us an output of```
pfctl -sn

jimp

This is quite common with misconfigured NAT rules, see here:

http://doc.pfsense.org/index.php/Why_does_enabling_NAT_Reflection_break_web_surfing%3F

evp

Hi thanks for all your help. I just confirmed that the nat rule for port 80 is correctly configured with external address.

the print out of pfctl -sn is huge, I don't know how to capture the entire print. I have attached a screen print of my nat page:


Eugene

My guess you are having problem with your web-server.

jimp

You have two port forwards on the "zon" interface that have an external address of 0.0.0.0 for port 80.

That may also be an issue.

Eugene

@jimp:

You have two port forwards on the "zon" interface that have an external address of 0.0.0.0 for port 80.

That may also be an issue.

Could you explain how this might be related to NAT on WAN interface?

jimp

@Eugene:

Could you explain how this might be related to NAT on WAN interface?

It's not related to NAT on WAN, it's related to NAT reflection, which is a big ugly mess and could easily do this. :-)

Eugene

@jimp:

@Eugene:

Could you explain how this might be related to NAT on WAN interface?

It's not related to NAT on WAN, it's related to NAT reflection, which is a big ugly mess and could easily do this. :-)

Oh… I did not see anything about nat redirection in initial post and supposed this web-site fails for outside people -)

jimp

He didn't say it, but if you look at the link I posted earlier, it's the #1 cause of this exact issue.

evp

Hey guys thanks so much for your help. The zon interface is my wan2 which this moment is down.

The webserver is accesabile from outside, and everything else is accessible from lan (ie. email, ping, traceroute), it really only seems to be port 80 that gets redirected to the webserver. What gets me is that system was up for 2 months and never had an issue, until this morning.

I also doubled checked the nat rule for port 80 to the webserver and is setup with external address.

jimp

You seem to be missing the real point here. If you have NAT reflection enabled, shut it off.

If that fixes the problem, then you still have an incorrectly specified port forward somewhere.

evp

Hi thanks again. I shut off nat reflection, and now everything is fine, so obviously than I have a mis-configured port 80 somewhere. Why would this turn up now after 2 months of no problems?

jimp

It may be related to that second WAN that you said was just shut off, or some other cause. Somehow it's trying to reflect any external address instead of a specific one.

NAT Reflection is evil  :)