From 8086c52a2d0e29a82f3c08e0c9bf2ec1a4366c1d Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Mon, 16 Oct 2023 10:15:21 +0200 Subject: [PATCH] fix minor compile issues --- source/manual/how-tos/nat_reflection.rst | 6 +++--- source/manual/reverse_proxy.rst | 3 +-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/source/manual/how-tos/nat_reflection.rst b/source/manual/how-tos/nat_reflection.rst index e66ad8a0..3f7de121 100644 --- a/source/manual/how-tos/nat_reflection.rst +++ b/source/manual/how-tos/nat_reflection.rst @@ -111,7 +111,7 @@ Go to :menuselection:`Firewall --> NAT --> Port Forward` IP ``203.0.113.1`` and destination port ``443`` --> rewrite the destination IP to ``172.16.1.1`` and the destination port to ``443``. .. Note:: - Due to "Add associated filter rule", the added linked firewall rule in :menuselection:`Firewall --> Rules --> Floating` will allow traffic to the destination IP ``172.16.1.1`` because NAT rules match before Firewall rules. That means the firewall receives the packet and the NAT rule converts the destination from ``203.0.113.1`` to ``172.16.1.1`` first, before passing the packet to the firewall filter. You could also set "Filter rule association: Pass", but then the resulting firewall rule would be invisible. + Due to "Add associated filter rule", the added linked firewall rule in :menuselection:`Firewall --> Rules --> Floating` will allow traffic to the destination IP ``172.16.1.1`` because NAT rules match before Firewall rules. That means the firewall receives the packet and the NAT rule converts the destination from ``203.0.113.1`` to ``172.16.1.1`` first, before passing the packet to the firewall filter. You could also set "Filter rule association: Pass", but then the resulting firewall rule would be invisible. .. Note:: In some setups (e.g. an external IP address is bound on an additional VPN interface) you need to set "Filter rule association: None" and create your own Firewall rules. One of those firewall rules should match only on the VPN interface, and in "advanced features" of that rule "reply-to" should be your VPN interface. The other firewall rule (without "reply-to") should match the remaining interfaces. @@ -224,7 +224,7 @@ Troubleshooting NAT Rules * ``pfctl -s nat`` * "rdr" means :menuselection:`Firewall --> NAT --> Port Forward` rules. * "nat" means :menuselection:`Firewall --> NAT --> Outbound` rules. - * You can also check the rules in the GUI in :menuselection:`Firewall --> Diagnostics --> Statistics" + * You can also check the rules in the GUI in :menuselection:`Firewall --> Diagnostics --> Statistics` .. Tip:: * Displays all NAT rules in the OPNsense debug: @@ -233,6 +233,6 @@ Troubleshooting NAT Rules .. Tip:: * Look at the default drops of the firewall live log in :menuselection:`Firewall --> Log Files --> Live View` - * Turn on logging of the NAT and Firewall rules you have created, and check if they match in :menuselection:`Firewall --> Log Files --> Live View`. NAT rules have the label "NAT" or "RDR". Firewall rules have their description as label. + * Turn on logging of the NAT and Firewall rules you have created, and check if they match in :menuselection:`Firewall --> Log Files --> Live View`. NAT rules have the label "NAT" or "RDR". Firewall rules have their description as label. * In ":menuselection:`Firewall --> Diagnostics --> Sessions` you can check if there is a session between your internal client and your internal server, and which rule matches to it. * Use tcpdump on the client, the opnsense and the server, and test if the traffic goes back and forth between the devices without any mistakes. Look for TCP SYN and SYN ACK. If there are only SYN then the connection isn't established and there are mistakes in your rules. diff --git a/source/manual/reverse_proxy.rst b/source/manual/reverse_proxy.rst index 49844255..2283ce09 100644 --- a/source/manual/reverse_proxy.rst +++ b/source/manual/reverse_proxy.rst @@ -86,7 +86,7 @@ Passenger Application Server for differnet nginx Unit_ Application Server for differnet Languages Undertow_ (Raw, JBoss, WildFly) Java application server Apache Tomcat Java application server -unit_, puma_, unicorn_ Many Rack_ based frameworks (RoR_, Sinatrarb_, …) +unit_, puma_, unicorn_ Many Rack_ based frameworks (RoR_, Sinatrarb_, …) gunicorn_ Python application server Apache HTTPd (with modules like mod_php) Webserver with interpreter modules ============================================= ================================================ @@ -223,4 +223,3 @@ Firewalling Misc ---- * :doc:`how-tos/nginx_hosting` -* :doc:`how-tos/haproxy_howtos`