From owner-freebsd-questions@FreeBSD.ORG Wed Jan 7 12:48:58 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8645B16A4CE for ; Wed, 7 Jan 2004 12:48:58 -0800 (PST) Received: from ptb-relay03.plus.net (ptb-relay03.plus.net [212.159.14.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE0C943D2F for ; Wed, 7 Jan 2004 12:48:25 -0800 (PST) (envelope-from general@benquick.f9.co.uk) Received: from [81.174.151.181] (helo=benquick.f9.co.uk) by ptb-relay03.plus.net with esmtp (Exim) id 1AeKbI-000HSF-J0 for freebsd-questions@freebsd.org; Wed, 07 Jan 2004 20:48:24 +0000 Message-ID: <3FFC7098.9090704@benquick.f9.co.uk> Date: Wed, 07 Jan 2004 20:48:24 +0000 From: Ben Quick User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <200401072031.CAA23216@manage.24online> In-Reply-To: <200401072031.CAA23216@manage.24online> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: IPFW confusion X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2004 20:48:58 -0000 Hi Subhro, Thanks for your reply The reason I want the server to route between the internal network and the router is because I only want to allow specific clients out onto the internet, and I can't see how to do this with the router I've got. Plus, it's a good excuse to try to learn something new :-) You say it's expected that I can't ping. It's things like this that confuse me, due to lack of understanding on my part, I've allowed all traffic through. Of so I thought... I've had a quick skim of the HOWTO, and it seems informative. But, it's still the IPFW rules that get me all confused Ben Subhro wrote: >Hi Ben, > >First of all I must say you explained your requirements very well. Not many >people can precisely say what they need. Bravo! > >Let's get to the point now. First of all I d don't find a good reason why >you would like to introduce your system (192.168.0.10) (Lets call it server) >to work as a router although you have a dedicated router. You can be well >off adding routes in the D-Link and be off with it. If you really want to >live with your current setup, then you must decide whether you want to go >with NAT or with transparent proxy. With your current setup, it is perfectly >all right that you can't ping any external hosts. I would recommend that you >go with NAT guarded by ipfw at the server. But you may also go with >transparent proxy as it has its own advantages. Refer to the following page: > >http://www.erudition.net/freebsd/NAT-HOWTO > >This has a really good tutorial on setting up NAT > >Regards >Subhro > >Subhro Sankha Kar >Indian Institute of Information Technology >Block AQ-13/1, Sector V >Salt Lake City >PIN 700091 >India > >-----Original Message----- >From: owner-freebsd-questions@freebsd.org >[mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Ben Quick >Sent: Wednesday, January 07, 2004 11:05 PM >To: freebsd-questions@freebsd.org >Subject: IPFW confusion > >Hello all, > I've been hunting around for information on IPFW, and how to set up the >rules I require. I found a tutorial that seemed to fit my needs: >http://www.mostgraveconcern.com/freebsd/ipfw.html > >However, I can't get the config to work. I've commented out all the deny >rules. In this instance, I can browse the web via SQUID that's installed >on the IPFW box. I can't browse the web directly, though. That is the >only external access I get. I can't ping any sites, DNS lookups fail >(I've set the DNS servers on the client workstation to be that my ISP's. >I also tried setting it to look at the IPFW box first, with no luck) > >Can anyone offer help on this one? I'm getting stuck in a muddle of >mis-understanding > >My setup is as follows > >Internal LAN is 192.168.0.x >IPFW machine has 2 NIC's: >rl0: 192.168.0.10 >rl1: 172.16.200.10 >rl1 connects directly to my DSL router (D-Link 504) which has an >internal IP of 172.16.200.1 along with it's public IP on the DSL port > >The ruleset I'd like is as follows > >For client IP's of 192.168.0.1 - 192.168.0.20 allow the following >HTTP \ HTTPS - But not directly, force them to use SQUID (Listening on >port 8080, and using squidGuard for content filtering) >POP3 - But, only so far as pop.myisp.com >IMAP - But, only so far as imap.myisp.com >SMTP - But, only so far as smtp.myisp.com >DNS lookups - But, only with ns1.myisp.com and ns2.myisp.com >NNTP - But, only so far as news.myisp.com >FTP - To anywhere > >For client IP's of 192.168.0.21 - 192.168.0.254 no access to anything >external to the 192.168.0.x network should be granted > >I'd like the IPFW box and 192.168.0.1 to be able to SSH out to anywhere. > >I'd like to allow SSH inbound from a specific IP to be directed at the >IPFW box (The port forwarding can be done with the DSL router) - SSH >isn't currently listening on that interface, I'll get to that later :) > >Does this sound like a reasonable ruleset? Is anyone willing to help me >generate it? > >Thanks >Ben > >