From owner-freebsd-questions@FreeBSD.ORG  Mon Mar 20 19:29:44 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 70B9F16A41F
	for <freebsd-questions@freebsd.org>;
	Mon, 20 Mar 2006 19:29:44 +0000 (UTC)
	(envelope-from rodrigo@sensorsistemas.com.br)
Received: from hm323.locaweb.com.br (hm323.locaweb.com.br [200.234.205.150])
	by mx1.FreeBSD.org (Postfix) with SMTP id 4B63443D72
	for <freebsd-questions@freebsd.org>;
	Mon, 20 Mar 2006 19:29:38 +0000 (GMT)
	(envelope-from rodrigo@sensorsistemas.com.br)
Received: (qmail 22452 invoked from network); 20 Mar 2006 19:29:34 -0000
Received: from unknown (10.1.10.10)
	by hm323.locaweb.com.br with QMQP; 20 Mar 2006 19:29:34 -0000
Received: from unknown (HELO ?192.168.0.109?)
	(rodrigo@sensorsistemas.com.br@201.28.123.138)
	by hm10.locaweb.com.br with SMTP; 20 Mar 2006 19:29:49 -0000
Message-ID: <441F028F.6010608@sensorsistemas.com.br>
Date: Mon, 20 Mar 2006 16:29:19 -0300
From: "Rodrigo G. Tavares de Souza" <rodrigo@sensorsistemas.com.br>
User-Agent: Thunderbird 1.5 (Windows/20051201)
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: IPFW - Creating my own rules
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2006 19:29:44 -0000

Hi,

    I'm trying to configure the IPFW with no success.
    Do I need to configure [in] access to each service allowed?
    I have these services:
      - Public DNS Server (outside);
      - Public POP Server (outside);
      - Public SMTP Server (outside);
      - Squid as Proxy;

   The whole Internet traffic is being redirected to Squid. I need open 
DNS, POP and SMTP.
   What is wrong with the follow rules file?

Best Regards,
Rodrigo Souza
Sao Paulo - Brazil

-----------------------------------------------
security log file
-----------------------------------------------
Mar 20 15:45:15 bsd-net kernel: ipfw: 450 Deny TCP 207.46.6.75:1863 
192.168.0.103:1580 in via rl0
Mar 20 15:45:18 bsd-net kernel: ipfw: 450 Deny UDP 200.153.0.68:53 
192.168.0.109:1056 in via rl0
Mar 20 15:45:44 bsd-net kernel: ipfw: 450 Deny UDP 200.153.0.68:53 
192.168.0.109:1056 in via rl0
Mar 20 15:45:49 bsd-net kernel: ipfw: 450 Deny TCP 200.246.179.88:110 
192.168.0.114:2238 in via rl0
...
Mar 20 15:45:59 bsd-net kernel: ipfw: 450 Deny TCP 200.246.179.88:110 
192.168.0.114:2238 in via rl0
Mar 20 15:46:00 bsd-net kernel: ipfw: 450 Deny TCP 200.246.179.88:25 
192.168.0.161:2090 in via rl0
Mar 20 15:46:01 bsd-net kernel: ipfw: 450 Deny TCP 200.246.179.88:25 
192.168.0.161:2090 in via rl0
-----------------------------------------------
#!/bin/sh
ipfw -q -f flush

cmd="ipfw -q add"
pif="rl0"
skip="skipto 500"
ks="keep-state"

$cmd 010 divert 8668 ip from any to any via $pif
$cmd 020 allow all from any to 192.168.0.2
$cmd 030 allow all from any to any via lo0
$cmd 040 fwd 192.168.0.2,3128 tcp from 192.168.0.0/24 to any dst-port 80

# DNS SERVER
# ********************************
$cmd 050 allow tcp from any to 200.153.0.68 53 out via $pif setup $ks
$cmd 055 allow udp from any to 200.153.0.68 53 out via $pif $ks

$cmd 060 allow tcp from any to 200.153.0.192 53 out via $pif setup $ks
$cmd 065 allow udp from any to 200.153.0.192 53 out via $pif $ks

# INTERNET
# ********************************
$cmd 070 allow tcp from any to any 80  out via $pif setup keep-state
$cmd 075 allow tcp from any to any 443 out via $pif setup keep-state

# POP AND SMTP SERVER
# ********************************
$cmd 080 allow tcp from any to 200.246.179.88 25  out via $pif setup $ks
$cmd 085 allow tcp from any to 200.246.179.88 110 out via $pif setup $ks

# FULL root RIGHTS
# ********************************
$cmd 090 allow tcp from me to any out via $pif setup keep-state uid root

# PING
# ********************************
$cmd 110 allow icmp from any to any out via $pif keep-state

# DENY NOT ALLOWED
# ********************************
$cmd 450 deny log all from any to any via $pif