-1

I've never used FreeBSD in my life but it's neccesary for me to deploy an HTTP API on FreeBSD. The API is deployed on port 3002.

What do I need to do to forward requests from port 80 to port 3002?

I tried adding this to my /etc/natd.conf file:

interface le0
use_sockets yes
dynamic yes

redirect_port tcp 192.168.1.8:80 192.168.1.8:3002

I also have this in my /etc/ipfw.rules file:

 ipfw add 1000 fwd 127.0.0.1,80 tcp from any to any 3002

When I run ipfw -q -f flush I get: 

 ipfw: setsockopt(IP_FW_XDEL): Protocol not available

I don't know what any of this means, but it's not working.

Can somebody please tell me (in simple newbie terms) how to forward requests from 80 to 3002 in FreeBSD?

(I'm assuming port 80 is both open and the default port for HTTTP requests on a brand new FreeBSD installation)

parliament
  • 21,544
  • 38
  • 148
  • 238

4 Answers4

2

The easiest way would be to use Nginx or HAproxy to listen on port 80 and then forward/proxy your requests to your API, by doing this you could also benefit from terminating SSL port 443 and just forward traffic to your API

For example to install nginx:

# pkg install nginx-lite

Then edit the /usr/local/etc/nginx/nginx.conf and use this in the server section:

server {
    listen 80 default_server;
    server_name _;

    location / {
        proxy_pass http://127.0.0.1:3002;
        proxy_http_version 1.1; # for keep-alive
        proxy_redirect off;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

This will forward the request to your API on port 3002 without the need to use NAT or any firewall like ipfw or pf, also works if you have your app running within a jail.

nbari
  • 25,603
  • 10
  • 76
  • 131
0

Remember you need to put in /etc/rc.conf: gateway_enable="YES".You may also need to create a pipe(check ipfw man), and load a dummynet module.

  • I tried the first part of your answer and added gateway_enable="YES" but it didn't help. And unfortunately, I don't understand the second part of your answer. – parliament Jun 27 '18 at 19:00
  • Thanks and you're right it's not an easy system for a first timer. I was not able to get redirection working with the help of the manual however I found an interim solution by adding ```net.inet.ip.portrange.reservedhigh=79``` to /etc/sysctl.conf that way there won't be any reserved privileged ports above 79, allowing me to bind my API directly to port 80 without redirect. It's not ideal so I'm leaving this question open for an authoritative answer on port redirection, will add bounty tomorrow. – parliament Jun 28 '18 at 10:30
0

In my opinion an easier option would be to use PF. Let me quote an example from the handbook https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html

... redirection and NAT rules need to be defined before the filtering rules. Insert this rdr rule immediately after the nat rule:

rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

FWIW, I've published Ansible role to configure PF https://galaxy.ansible.com/vbotka/freebsd-pf/

Community
  • 1
  • 1
Vladimir Botka
  • 58,131
  • 4
  • 32
  • 63
0

almost done !!!!

should be

[was] ipfw add 1000 fwd 127.0.0.1,80 tcp from any to any 3002

ipfw add 1000 allow ipv4 from any to 127.0.0.1 via eth2

ipfw add 1010 fwd 127.0.0.1,3002 ipv4 from any to any 80,443 via eth2

Biddut Mitra
  • 165
  • 4