From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 16 11:06:55 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D246F10656A3 for ; Mon, 16 Nov 2009 11:06:55 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B7D078FC2F for ; Mon, 16 Nov 2009 11:06:55 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nAGB6tMa011204 for ; Mon, 16 Nov 2009 11:06:55 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nAGB6tcc011202 for freebsd-ipfw@FreeBSD.org; Mon, 16 Nov 2009 11:06:55 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 16 Nov 2009 11:06:55 GMT Message-Id: <200911161106.nAGB6tcc011202@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Nov 2009 11:06:55 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 63 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 17 05:06:27 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32F961065672 for ; Tue, 17 Nov 2009 05:06:27 +0000 (UTC) (envelope-from rakort@charter.net) Received: from que21.charter.net (que21.charter.net [209.225.8.22]) by mx1.freebsd.org (Postfix) with ESMTP id E05838FC17 for ; Tue, 17 Nov 2009 05:06:26 +0000 (UTC) Received: from imp09 ([10.20.200.9]) by mta11.charter.net (InterMail vM.7.09.02.04 201-2219-117-106-20090629) with ESMTP id <20091117045557.TGEZ8038.mta11.charter.net@imp09> for ; Mon, 16 Nov 2009 23:55:57 -0500 Received: from DadsDesktop ([66.191.61.171]) by imp09 with smtp.charter.net id 64vn1d0073hghpu054vv6n; Mon, 16 Nov 2009 23:55:56 -0500 X-Authority-Analysis: v=1.0 c=1 a=_43gbtA45zeePN2gEmIA:9 a=lbxWwxbXWAQTBGJLG44A:7 a=MB78S4BnPIaud1SN90vNR6jm2YoA:4 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=fkFEOGKmwW5qSvoXCRMA:9 a=z_yH66USASwJCwtCdRAA:7 a=WK0JzA33jLTCf9xN22Rx4VZO5lYA:4 From: "Rakort" To: Date: Mon, 16 Nov 2009 22:54:41 -0600 Message-ID: <000501ca6742$1874a300$495de900$@net> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcpnQhHWjWzp8h+oRkOGXaEwxb0TJA== Content-Language: en-us x-cr-puzzleid: {912DA12E-F7A0-4D1D-9E42-88E7D37EDBA2} x-cr-hashedpuzzle: Aynz C6VC DFGO DGU3 DVkt DeGB D+aJ Evd6 IeHt IgwN IlOB JOJy JsVE KIEg KbDM KwmK; 1; ZgByAGUAZQBiAHMAZAAtAGkAcABmAHcAQABmAHIAZQBlAGIAcwBkAC4AbwByAGcA; Sosha1_v1; 7; {912DA12E-F7A0-4D1D-9E42-88E7D37EDBA2}; cgBhAGsAbwByAHQAQABjAGgAYQByAHQAZQByAC4AbgBlAHQA; Tue, 17 Nov 2009 04:54:39 GMT; ZABhAG4AcwBnAHUAYQByAGQAaQBhAG4ALAAgAGkAcABmAHcALAAgAG4AYQB0ACAAcQB1AGUAcwB0AGkAbwBuAA== Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: dansguardian, ipfw, nat question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2009 05:06:27 -0000 Hello all Trying to configure my gateway box running FBSD 7.2 to provide content filtering services for some or all clients on a my network. The box is configured with natd and running IPFW. I like this combination and have been using it successfully for years. Not real interested to changing to squid or pf or whatever else may be known (or better documented) to work with dansguardian. Dansguardian seems to be the preferred option for content filtering as near as I can tell. There is lots of documentation out there for configuring dans with squid. I can't find much of anything for IPFW / NAT So, the question is, can this be done? I've seen one or two suggestions out there giving a brief description of how to use the fwd command to send packets to dans but unfortunately I am not smart enough to implement that here. Any help, thoughts, or references would be appreciated thanks Brian here is a boiled down set of rules that I use: #!/bin/sh cmd="ipfw add" skip="skipto 700" oif=dc0 iif=re0 log="log logamount 1000" ks="keep-state" ipfw -f flush $cmd 098 allow all from any to any via $iif # Allow LAN traffic $cmd 099 allow all from any to any via lo0 # Allow loopback traffic $cmd 105 divert natd all from any to any in via $oif # check if packet is inbound and nat address if it is $cmd 110 check-state # Allow packet if it has previous been added to the "dynamic" rules table ### Authorized icmp / udp outbound packets $cmd 200 $skip icmp from any to any out via $oif $ks # ping $cmd 201 $skip udp from any to any 123 out via $oif $ks # time $cmd 203 $skip $log udp from any to xx.xxx.xx.1 67 out via $oif $ks # DHCP $cmd 205 $skip udp from any to any 53 out via $oif $ks # DNS ### Authorized tcp outbound packets $cmd 301 $skip tcp from any to any 25 out via $oif setup $ks # mail $cmd 303 $skip $log tcp from any to any 43 out via $oif setup $ks # whois $cmd 305 $skip tcp from any to any 80 out via $oif setup $ks # http $cmd 306 $skip tcp from any to any 110 out via $oif setup $ks # mail $cmd 307 $skip tcp from any to any 119 out via $oif setup $ks # USENET $cmd 308 $skip tcp from any to any 443 out via $oif setup $ks # Secure http $cmd 310 $skip $log tcp from any to any 23 out via $oif setup $ks # telnet ### Everything else outbound is dropped and logged $cmd 351 deny log logamount 10000 all from any to any out via $oif # everything else ### Allow these incoming connections $cmd 360 allow $log udp from xx.xxx.xxx.x to any 68 in via $oif $ks # DHCP $cmd 363 allow tcp from any to me 80 in via $oif setup $ks # Incoming http connections ### May Consider Allowing these incoming connections $cmd 396 allow $log tcp from any to any 113 in via $oif limit src-addr 4 # Ident packets. $cmd 398 allow $log icmp from any to any icmptype 3,11 in via $oif limit src-addr 2 # Allow out & in console traceroot command ### deny various incoming packets $cmd 401 deny $log all from 192.168.0.0/16 to any in via $oif # RFC 1918 private IP $cmd 402 deny $log all from 172.16.0.0/12 to any in via $oif # RFC 1918 private IP $cmd 403 deny $log all from 10.0.0.0/8 to any in via $oif # RFC 1918 private IP $cmd 404 deny $log all from 127.0.0.0/8 to any in via $oif # loopback $cmd 405 deny $log all from 0.0.0.0/8 to any in via $oif # loopback $cmd 406 deny $log all from 169.254.0.0/16 to any in via $oif # DHCP auto-config $cmd 407 deny $log all from 192.0.2.0/24 to any in via $oif # reserved for docs $cmd 408 deny $log all from 204.152.64.0/23 to any in via $oif # Sun cluster $cmd 409 deny $log all from 224.0.0.0/3 to any in via $oif # Class D & E multicast ### deny various incoming packets $cmd 448 reset $log tcp from any to me 113 in via $oif limit src-addr 4 # This sends a RESET to all ident packets. $cmd 449 deny $log tcp from any to any 113 in via $oif # Deny ident $cmd 450 deny $log icmp from any to any icmptype 5 in via $oif # Stop & log external redirect requests. $cmd 451 deny $log icmp from any to any in via $oif # Deny pings from the world $cmd 452 deny $log all from any to any in frag # Fragmented Packets $cmd 453 deny $log all from any to any 137,138,139,81 in via $oif # Deny all Netbios service & MS/Windows hosts2 name server $cmd 454 deny $log all from any to any frag in via $oif # Deny any late arriving packets $cmd 455 deny $log tcp from any to any established in via $oif # Deny ACK packets that did not match the dynamic rule table $cmd 456 deny $log all from me to me in via $oif # Stop & log spoofing Attack attempts. $cmd 457 deny all from any to any 1024-1030 in via $oif # MS Messenger spam ### Reject & Log all the rest of the incoming connections $cmd 600 deny log logamount 10000 all from any to any in via $oif ### deny and log all packets that fell through to see what they are ### Nothing should ever get to this rule!!! $cmd 601 deny log logamount 10000 all from any to any ### This is skipto location for outbound stateful rules $cmd 700 divert natd all from any to any out via $oif $cmd 800 allow all from any to any From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 17 05:18:56 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CBE6F106566B for ; Tue, 17 Nov 2009 05:18:56 +0000 (UTC) (envelope-from bbayorgeon@charter.net) Received: from que11.charter.net (que11.charter.net [209.225.8.21]) by mx1.freebsd.org (Postfix) with ESMTP id 850168FC0C for ; Tue, 17 Nov 2009 05:18:56 +0000 (UTC) Received: from imp09 ([10.20.200.9]) by mta31.charter.net (InterMail vM.7.09.02.04 201-2219-117-106-20090629) with ESMTP id <20091117045305.CONM1847.mta31.charter.net@imp09> for ; Mon, 16 Nov 2009 23:53:05 -0500 Received: from DadsDesktop ([66.191.61.171]) by imp09 with smtp.charter.net id 64sr1d00K3hghpu054t2fo; Mon, 16 Nov 2009 23:53:02 -0500 X-Authority-Analysis: v=1.0 c=1 a=_43gbtA45zeePN2gEmIA:9 a=lbxWwxbXWAQTBGJLG44A:7 a=wADkAsoDjZYWA9rYs3a3ylxnV3UA:4 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=fkFEOGKmwW5qSvoXCRMA:9 a=QEupBJ511c4bt2gBJdwA:7 a=ZCzAt7rEzDUK_vXQj-0nebuW-UwA:4 From: "Brian" To: Date: Mon, 16 Nov 2009 22:51:44 -0600 Message-ID: <000001ca6741$b1316520$13942f60$@net> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcpnQag5QUF/BmYKQKSJb8D6ea/KLw== Content-Language: en-us x-cr-puzzleid: {19D2E13D-3858-4215-A715-42EBEAE5B814} x-cr-hashedpuzzle: c8k= ATLE Azm2 BHT3 Bo+O BshC DGzV DKoj EHOF FX3Y G6ZI IZJl Iv5T JjYF KrIO LDc6; 1; ZgByAGUAZQBiAHMAZAAtAGkAcABmAHcAQABmAHIAZQBlAGIAcwBkAC4AbwByAGcA; Sosha1_v1; 7; {19D2E13D-3858-4215-A715-42EBEAE5B814}; YgBiAGEAeQBvAHIAZwBlAG8AbgBAAGMAaABhAHIAdABlAHIALgBuAGUAdAA=; Tue, 17 Nov 2009 04:51:42 GMT; RABhAG4AcwBnAHUAYQByAGQAaQBhAG4ALAAgAG4AYQB0ACwAIAAmACAAaQBwAGYAdwA= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Dansguardian, nat, & ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2009 05:18:57 -0000 Hello all Trying to configure my gateway box running FBSD 7.2 to provide content filtering services for some or all clients on a my network. The box is configured with natd and running IPFW. I like this combination and have been using it successfully for years. Not real interested to changing to squid or pf or whatever else may be known (or better documented) to work with dansguardian. Dansguardian seems to be the preferred option for content filtering as near as I can tell. There is lots of documentation out there for configuring dans with squid. I can't find much of anything for IPFW / NAT So, the question is, can this be done? I've seen one or two suggestions out there giving a brief description of how to use the fwd command to send packets to dans but unfortunately I am not smart enough to implement that here. Any help, thoughts, or references would be appreciated thanks Brian here is a boiled down set of rules that I use: #!/bin/sh cmd="ipfw add" skip="skipto 700" oif=dc0 iif=re0 log="log logamount 1000" ks="keep-state" ipfw -f flush $cmd 098 allow all from any to any via $iif # Allow LAN traffic $cmd 099 allow all from any to any via lo0 # Allow loopback traffic $cmd 105 divert natd all from any to any in via $oif # check if packet is inbound and nat address if it is $cmd 110 check-state # Allow packet if it has previous been added to the "dynamic" rules table ### Authorized icmp / udp outbound packets $cmd 200 $skip icmp from any to any out via $oif $ks # ping $cmd 201 $skip udp from any to any 123 out via $oif $ks # time $cmd 203 $skip $log udp from any to xx.xxx.xx.1 67 out via $oif $ks # DHCP $cmd 205 $skip udp from any to any 53 out via $oif $ks # DNS ### Authorized tcp outbound packets $cmd 301 $skip tcp from any to any 25 out via $oif setup $ks # mail $cmd 303 $skip $log tcp from any to any 43 out via $oif setup $ks # whois $cmd 305 $skip tcp from any to any 80 out via $oif setup $ks # http $cmd 306 $skip tcp from any to any 110 out via $oif setup $ks # mail $cmd 307 $skip tcp from any to any 119 out via $oif setup $ks # USENET $cmd 308 $skip tcp from any to any 443 out via $oif setup $ks # Secure http $cmd 310 $skip $log tcp from any to any 23 out via $oif setup $ks # telnet ### Everything else outbound is dropped and logged $cmd 351 deny log logamount 10000 all from any to any out via $oif # everything else ### Allow these incoming connections $cmd 360 allow $log udp from xx.xxx.xxx.x to any 68 in via $oif $ks # DHCP $cmd 363 allow tcp from any to me 80 in via $oif setup $ks # Incoming http connections ### May Consider Allowing these incoming connections $cmd 396 allow $log tcp from any to any 113 in via $oif limit src-addr 4 # Ident packets. $cmd 398 allow $log icmp from any to any icmptype 3,11 in via $oif limit src-addr 2 # Allow out & in console traceroot command ### deny various incoming packets $cmd 401 deny $log all from 192.168.0.0/16 to any in via $oif # RFC 1918 private IP $cmd 402 deny $log all from 172.16.0.0/12 to any in via $oif # RFC 1918 private IP $cmd 403 deny $log all from 10.0.0.0/8 to any in via $oif # RFC 1918 private IP $cmd 404 deny $log all from 127.0.0.0/8 to any in via $oif # loopback $cmd 405 deny $log all from 0.0.0.0/8 to any in via $oif # loopback $cmd 406 deny $log all from 169.254.0.0/16 to any in via $oif # DHCP auto-config $cmd 407 deny $log all from 192.0.2.0/24 to any in via $oif # reserved for docs $cmd 408 deny $log all from 204.152.64.0/23 to any in via $oif # Sun cluster $cmd 409 deny $log all from 224.0.0.0/3 to any in via $oif # Class D & E multicast ### deny various incoming packets $cmd 448 reset $log tcp from any to me 113 in via $oif limit src-addr 4 # This sends a RESET to all ident packets. $cmd 449 deny $log tcp from any to any 113 in via $oif # Deny ident $cmd 450 deny $log icmp from any to any icmptype 5 in via $oif # Stop & log external redirect requests. $cmd 451 deny $log icmp from any to any in via $oif # Deny pings from the world $cmd 452 deny $log all from any to any in frag # Fragmented Packets $cmd 453 deny $log all from any to any 137,138,139,81 in via $oif # Deny all Netbios service & MS/Windows hosts2 name server $cmd 454 deny $log all from any to any frag in via $oif # Deny any late arriving packets $cmd 455 deny $log tcp from any to any established in via $oif # Deny ACK packets that did not match the dynamic rule table $cmd 456 deny $log all from me to me in via $oif # Stop & log spoofing Attack attempts. $cmd 457 deny all from any to any 1024-1030 in via $oif # MS Messenger spam ### Reject & Log all the rest of the incoming connections $cmd 600 deny log logamount 10000 all from any to any in via $oif ### deny and log all packets that fell through to see what they are ### Nothing should ever get to this rule!!! $cmd 601 deny log logamount 10000 all from any to any ### This is skipto location for outbound stateful rules $cmd 700 divert natd all from any to any out via $oif $cmd 800 allow all from any to any From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 17 05:37:12 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E6A31065672 for ; Tue, 17 Nov 2009 05:37:12 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by mx1.freebsd.org (Postfix) with ESMTP id 147CE8FC12 for ; Tue, 17 Nov 2009 05:37:11 +0000 (UTC) Received: by pwj15 with SMTP id 15so4115854pwj.3 for ; Mon, 16 Nov 2009 21:37:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=sc/vof6m/EYIKjP7QDFSbhxyBGp7sooiu9g5o1SEOh4=; b=uzPx5Z3/29tsT3C3rMWQy6Y9MvlOsDmMlg9bbJI1Z9CVogGjyc/Ezf2rFLG9DVBtFM tRmIC4jiBI28JrECrwFx2CLtzHHJTDb2kO6gXtq5gJh64VupcEhzNpFLnoZR0Cjs8XmB QIeGXSIRmKhrvnPi6gEGSMTk+Sp9FoDxwwlyo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=JKHbxYFQ8R8emlY9jUBislIDwG6nuvP+vgfLdBFwm2gdSzwzOBgM5q7ggFXJgn4ZmC UI0iK4dOdKirr3X0bLYHNC9U41nSVyWqO9stg71v3MQzs+krqTr01cKO5wh7i7999YSr vNrnuRTFDHq9jsZwPEhhZ3fUmicJH+BgLy4kE= MIME-Version: 1.0 Received: by 10.142.2.10 with SMTP id 10mr1013811wfb.99.1258436231651; Mon, 16 Nov 2009 21:37:11 -0800 (PST) In-Reply-To: <000001ca6741$b1316520$13942f60$@net> References: <000001ca6741$b1316520$13942f60$@net> Date: Mon, 16 Nov 2009 21:37:11 -0800 Message-ID: From: Freddie Cash To: Brian Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-ipfw@freebsd.org Subject: Re: Dansguardian, nat, & ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2009 05:37:12 -0000 On Mon, Nov 16, 2009 at 8:51 PM, Brian wrote: > Trying to configure my gateway box running FBSD 7.2 to provide content > filtering services for some or all clients on a my network. > > The box is configured with natd and running IPFW. =C2=A0I like this combi= nation > and have been using it successfully for years. =C2=A0Not real interested = to > changing to squid or pf or whatever else may be known (or better document= ed) > to work with dansguardian. Dansguardian does not do any pages fetches on its own, it just scans pages returned by a proxy server. You cannot run Dansguardian without some kind of web proxy server. By default, the port will install Squid, but it has been shown to work with TinyProxy. > Dansguardian seems to be the preferred option for content filtering as ne= ar > as I can tell. =C2=A0There is lots of documentation out there for configu= ring > dans with squid. =C2=A0I can't find much of anything for IPFW / NAT > > So, the question is, can this be done? =C2=A0I've seen one or two suggest= ions out > there giving a brief description of how to use the fwd command to send > packets to dans but unfortunately I am not smart enough to implement that > here. You can use IPFW to fwd packet to Dansguardian quite easily: ipfw add fwd 127.0.0.1:8080 tcp from $local_subnet to any 80 in recv $local_nic ipfw add allow tcp from me to any 80 out xmit $public_nic ipfw add allow tcp from any 80 to me in recv $public_nic established The first rule redirects all HTTP traffic from the local subnet to Dansguardian. Dansguardian will then pass the packets off to a local install of Squid (uses 127.0.0.1:3128 by default). Squid will then connect out to the remote web server to grab the pages (the next two rules). You *MUST* have a web proxy server installed somewhere, that Dansguardian will forward the requests to, and receive the responses from. --=20 Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 17 11:33:52 2009 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2528106566B for ; Tue, 17 Nov 2009 11:33:52 +0000 (UTC) (envelope-from mail@proxy1079.tm.cbsig.net) Received: from proxy1079-fe.tm.cbsig.net (proxy1079-fe.tm.cbsig.net [64.30.239.142]) by mx1.freebsd.org (Postfix) with ESMTP id 55D4D8FC08 for ; Tue, 17 Nov 2009 11:33:51 +0000 (UTC) Received: from proxy1079.tm.cbsig.net (localhost.localdomain [127.0.0.1]) by proxy1079.tm.cbsig.net (8.13.1/8.13.1) with ESMTP id nAHAPGoe022185 for ; Tue, 17 Nov 2009 05:25:16 -0500 Received: (from mail@localhost) by proxy1079.tm.cbsig.net (8.13.1/8.13.1/Submit) id nAHAPGBv022182 for ipfw@freebsd.org; Tue, 17 Nov 2009 05:25:16 -0500 Date: Tue, 17 Nov 2009 05:25:16 -0500 Message-Id: <200911171025.nAHAPGBv022182@proxy1079.tm.cbsig.net> From: "ipfw" To: © VIAGRA ® Official Site X-Loop: "ipfw" Cc: Subject: Problem Posting to League 'ipfw' X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2009 11:33:52 -0000 In order to send an e-mail to your league, the e-mail address which you are sending from must be associated with your team. You will need to update your e-mail address within the league, otherwise, your correspondence will be denied. To update your e-mail address, enter your league home page and select Options, Personal. You can enter more than one e-mail address by separating them with a comma and a space. From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 20 19:29:52 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6E67106566C for ; Fri, 20 Nov 2009 19:29:52 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from smtp101.prem.mail.sp1.yahoo.com (smtp101.prem.mail.sp1.yahoo.com [98.136.44.56]) by mx1.freebsd.org (Postfix) with SMTP id 970448FC19 for ; Fri, 20 Nov 2009 19:29:52 +0000 (UTC) Received: (qmail 54729 invoked from network); 20 Nov 2009 19:03:11 -0000 Received: from adsl-69-109-229-187.dsl.pltn13.pacbell.net (kudzu@69.109.229.187 with plain) by smtp101.prem.mail.sp1.yahoo.com with SMTP; 20 Nov 2009 11:03:11 -0800 PST X-Yahoo-SMTP: AcwmMA.swBBRnMzwDJMDF.V04AMorA-- X-YMail-OSG: tWnEZwAVM1mYdQJQoq00Z1dVJbQ4YcwwXzaaCoznuGzpBPnn5zY0sIncW8NmVb2gyPqr19oQmeIDDFMN4NkV0PlWHyuAlVGckMYgQgbZ6fluVHo_JJR.rAn_xRPjAAj4VDsenGeQ.5FC3pXbV25oAMx20SE_ITrxAkoj3GaY4Y2155QTyeE_6D.llrPerUYf9X3ZVfCKpwdWuj7CVT6t.HwdtI0.xZJYMm10.m2Sjt2g1.pz4UjHHTfaTIDKCw5FmP4I7mbX3p_L7iBN87J2tXGq48wMPPPvYK36M1VKtRTXTInjkjvFZTXxAAU_zdI7FQnbgLevno53vhyP_ahRRKRFLH.M56szu8lCDZFXfRg- X-Yahoo-Newman-Property: ymail-3 Message-ID: <4B06E7F2.2060205@tenebras.com> Date: Fri, 20 Nov 2009 11:03:14 -0800 From: Michael Sierchio User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: ipfw nat X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: kudzu@tenebras.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2009 19:29:52 -0000 Unless I'm mistaken, there appears no way to cause ipfw's internal nat mechanism to log dropped packets. This is a considerable loss of functionality from using natd. Is there a reason for this? - M -- Michael Sierchio +1 415 378 1182 PO Box 9036 Berkeley CA 94709 US kudzu@tenebras.com