Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 26 subscribers
  • Views 10621 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Publish an Internal Server over Internet on port 80

Multiboot

Hi,

I have an issue with using Port 80 for port forwarding. All other ports work, but not port 80:
WAN_IP:81 -> LAN_IP:80 works
WAN_IP:80 -> LAN_IP:80 does not work

So the rule itself seems to work fine as long as I don't set service port forwarded to 80.

The rule is configured based on this How To: https://community.sophos.com/kb/en-us/122976

Rgds,
Richard



This thread was automatically locked due to age.
Parents
  • 0

    Richard,

    can you share the firewall rule you have created?

    Thanks

  • 0 in reply to lferrara

    See below of the rule:

    Changing the Service Port(s) Forwarded to 81 and it works (leaving the Mapped Port on 80 of course)

    I have other rules configured on different ports and they all work. I don't see any conflict. The logs don't reveal any issues either.

  • 0 in reply to Multiboot

    Hi Richard,

    Check #1 in my guide here. Take packet capture and see if it is forwarded to the destined server and verify if you discover any drop captures.

    Thanks

  • 0 in reply to sachingurung

    Hi,

    Thanks for the link. Very useful!

    I had done the capturing already and nothing, no dropped, zero entries. As soon as I change the service port to 81, it works and capture confirms. Just wondering... are you able to forward on port 80 (using latest SFOS 16)?

    As said, nothing to show when using port 80 but on 81 it looks good:



    When using port 80, the port remains filtered in stead of open:

    Nmap scan report for www.example.com (xxx.xxx.222.147)
    Host is up (0.82s latency).
    PORT      STATE SERVICE     VERSION
    81/tcp open  ssl/unknown

    Nmap scan report for www.example.com (xxx.xxx.222.147)
    Host is up.
    PORT   STATE    SERVICE VERSION
    80/tcp filtered http

    Rgds,
    Richard

  • +1 in reply to Multiboot

    Hi Richard,

    Do you capture nothing when DNAT is configured on port 80? In that case, take tcpdump through console and check if any traffic hits XG. Execute:

    tcpdump 'host x.x.x.x and port 80 (here, x.x.x.x is the Source IP which is requests the hosted server)

    If you do not see any dumps then the WAN interface do not receive any traffic over port 80.

    Also, is it a direct WAN link connection on XG or the connection comes through a router/modem?

    Thanks

  • 0 in reply to sachingurung

    Hi,

    Thanks for that! I completely forgot about tcpdump and it just never occurred to me this port is blocked at ISP level.

    Thanks for waking me up :-)

    Richard

Reply Children
No Data