milend wrote:
> As far as I understand I can create Input rules only if I need to
> restrict the access to our LAN from outside.
this is correct, except that you really do need to restrict access to
your lan, unless you really like being hacked of course. use the
firewall to close any unnecessary incoming ports, otherwise you are
leaving yourself vulnerable.
> I do not have to specify Output rules if I want all computers in our
> LAN to have access to Internet.
correct
> So, I do not have any input/output rules and still I can not access
> the web server running in out LAN. Even when the basic firewall is
> off I can't access the website.
>
> Do I need to have some other products installed? Or just change of
> firewall configuration is enough? If so what do I need to change
> in order to make the web server accessible for the outside world?
the firewall alone will not give you access to your internal
webserver. you will need to install something else to do so.
basically, by default webservers are accessed through port 80, so all
incoming traffic on port 80 will be stopped by the qube's built in
webserver. if you want to access an internal webserver, you will need
to forward web traffic to the internal computer. you do this using
"port forwarding". you can search the archives (and elsewhere) for
more discussions about how to re-direct traffic to internal ports.
fortunately, the emea group has created a nice little pkg file you can
install through the web gui on your qube that will provide port
forwarding for you (i think it is even gui configurable). i've not
yet used this package myself (i use a different 3rd party utility
called portfwd, you can search the archives if interested), but if you
want to try it, it can be found at:
http://pkgmaster.com/i386/Q3-Portfw-1.1.pkg
however, you need to be careful here. the problem is that if you
forward all web traffic from the qube to a different computer on your
lan, then you will no longer be able to access the qube's public
website (including the web-based admin gui for your qube if you aren't
careful). this will probably not make you happy. to get around
this you could specify a different port in the url and then forward
that port to port 80 on the internal computer. for example, you could
use the alt http port, 8080, which would make your url
"www.mydomain.com:8080". of course you also have to make sure that
whatever port you use does not conflict with another service and that
it is open in the firewall.
for a comprehensive list of port numbers see:
http://www.redhat.com/support/resources/tips/urls/txt/port_numbers
it occurs to me that you may be able to set this up without port
forwarding by using dns on the qube, but someone else will have to
help you with that, as do not use dns on our qube and am not even sure
if dns alone would work in your case.
anyway, good luck.
mikey.