From owner-freebsd-questions@FreeBSD.ORG Wed Jan 7 09:34:46 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF6E816A4CE for ; Wed, 7 Jan 2004 09:34:46 -0800 (PST) Received: from ptb-relay02.plus.net (ptb-relay02.plus.net [212.159.14.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 181A243D1F for ; Wed, 7 Jan 2004 09:34:45 -0800 (PST) (envelope-from general@benquick.f9.co.uk) Received: from [81.174.151.181] (helo=benquick.f9.co.uk) by ptb-relay02.plus.net with esmtp (Exim) id 1AeHZr-0005Lb-MI for freebsd-questions@freebsd.org; Wed, 07 Jan 2004 17:34:43 +0000 Message-ID: <3FFC4333.8060807@benquick.f9.co.uk> Date: Wed, 07 Jan 2004 17:34:43 +0000 From: Ben Quick User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: IPFW confusion X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2004 17:34:46 -0000 Hello all, I've been hunting around for information on IPFW, and how to set up the rules I require. I found a tutorial that seemed to fit my needs: http://www.mostgraveconcern.com/freebsd/ipfw.html However, I can't get the config to work. I've commented out all the deny rules. In this instance, I can browse the web via SQUID that's installed on the IPFW box. I can't browse the web directly, though. That is the only external access I get. I can't ping any sites, DNS lookups fail (I've set the DNS servers on the client workstation to be that my ISP's. I also tried setting it to look at the IPFW box first, with no luck) Can anyone offer help on this one? I'm getting stuck in a muddle of mis-understanding My setup is as follows Internal LAN is 192.168.0.x IPFW machine has 2 NIC's: rl0: 192.168.0.10 rl1: 172.16.200.10 rl1 connects directly to my DSL router (D-Link 504) which has an internal IP of 172.16.200.1 along with it's public IP on the DSL port The ruleset I'd like is as follows For client IP's of 192.168.0.1 - 192.168.0.20 allow the following HTTP \ HTTPS - But not directly, force them to use SQUID (Listening on port 8080, and using squidGuard for content filtering) POP3 - But, only so far as pop.myisp.com IMAP - But, only so far as imap.myisp.com SMTP - But, only so far as smtp.myisp.com DNS lookups - But, only with ns1.myisp.com and ns2.myisp.com NNTP - But, only so far as news.myisp.com FTP - To anywhere For client IP's of 192.168.0.21 - 192.168.0.254 no access to anything external to the 192.168.0.x network should be granted I'd like the IPFW box and 192.168.0.1 to be able to SSH out to anywhere. I'd like to allow SSH inbound from a specific IP to be directed at the IPFW box (The port forwarding can be done with the DSL router) - SSH isn't currently listening on that interface, I'll get to that later :) Does this sound like a reasonable ruleset? Is anyone willing to help me generate it? Thanks Ben