Date: Mon, 09 Oct 2000 22:09:35 +0700 From: "Rashid N. Achilov" <shelton@sentry.granch.ru> To: Nick Rogness <nick@rapidnet.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: Where I was wrong? Message-ID: <39E1DFAF.8FC8A80C@sentry.granch.ru> References: <Pine.BSF.4.21.0010090723090.53783-100000@rapidnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nick Rogness wrote:
>
>
> I have this exact (almost) thing running and would be glad to help
> more...but I need more details on how your internal net is laid
> out (Interfaces,IP's,etc).
>
More common model (I repeat here previous description and add some to
it):
--- was ---
I have a some FreeBSD box, connected to two different ISPs and my own
private network. For example first ISP is 10.0.0.0/24, second
10.0.1.0/24 and my own network is 10.0.2.0/24, and FreeBSD router has:
10.0.0.1 to first ISP (10.0.0.2 other side, interface fxp0), 10.0.1.1 to
second (10.0.1.2 other side, interface rl0) and 10.0.2.1 to private
(interface ed0). My box in private is 10.0.2.2 and there are some other
Windozes...
--- was ---
Now: 10.0.2.2 isn't my box, it is a proxy server. In their net no more
boxes. Router has 2 additive NIC's - fxp1 (10.0.3.0/24, router here is a
10.0.3.1) in our private network (my box here is 10.0.3.2), some more
Windozes here aslo... and fxp2 (10.0.4.0/24, router here is a 10.0.4.1)
to our sub-division. I'd like deny ALL traffic without proxy (exclude my
own box :-) and proxy itself) and paritally deny proxy access from
10.0.4.0, paritally allow all, except WWW (port 80)
So, I have written:
# Stop RFC1918 nets on the outside interface
$fwcmd add 105 deny log all from 192.168.0.0/16 to any via rl0
[skip some similar rules...]
# Our boss! :-)
$fwcmd add 1210 allow ip from 10.0.3.3 to
any
$fwcmd add 1215 allow ip from 10.0.3.4 to
any
$fwcmd add 1220 fwd 10.0.0.2 ip from 10.0.2.2 to any out xmit rl0
$fwcmd add 1225 fwd 10.0.0.2 ip from 10.0.3.2 to any out xmit rl0
# Here I must insert there damned rules
$fwcmd add 1226 allow ip from 10.0.2.2 to any
$fwcmd add 1227 allow ip from 10.0.3.2 to any
# Take control on the WWW
traffic
$fwcmd add 1230 deny log tcp from 10.0.3.0/24 to any 80
# Some of our sub-division allow to Internet
$fwcmd add 1305 allow all from 10.0.4.2 to any
# Rest are denied
$fwcmd add 1355 deny log tcp from 10.0.4.0/24 to any 3128-3130
# Deny all non-excluded sub-division external traffic (internal is
allowed)
$fwcmd add 1450 deny log all from 10.0.4.0/24 to any out xmit rl0
# Allow all local
traffic
# Here was allow all local traffic. Now it comment in, because I
needn't it now.
# Non-exclusive forward from private - allow all, except WWW
$fwcmd add 1550 fwd 10.0.0.2 ip from 10.0.3.10 to any out xmit rl0
--
With Best Regards.
Rashid N. Achilov (RNA1-RIPE), Brainbench ID: 28514
Granch Ltd. lead engineer, e-mail: achilov@granch.ru
tel/fax (383-2) 24-2363
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39E1DFAF.8FC8A80C>