From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 19:32:50 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2268F106566B for ; Mon, 18 Jul 2011 19:32:50 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout018.mac.com (asmtpout018.mac.com [17.148.16.93]) by mx1.freebsd.org (Postfix) with ESMTP id 098828FC0A for ; Mon, 18 Jul 2011 19:32:49 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from cswiger1.apple.com ([17.209.4.71]) by asmtp018.mac.com (Oracle Communications Messaging Exchange Server 7u4-20.01 64bit (built Nov 21 2010)) with ESMTPSA id <0LOJ00LN2KTF9580@asmtp018.mac.com> for freebsd-ipfw@freebsd.org; Mon, 18 Jul 2011 11:32:04 -0700 (PDT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.4.6813,1.0.211,0.0.0000 definitions=2011-07-18_06:2011-07-18, 2011-07-18, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=6.0.2-1012030000 definitions=main-1107180149 From: Chuck Swiger In-reply-to: Date: Mon, 18 Jul 2011 11:32:03 -0700 Message-id: <28D3D376-49A7-4ABD-A2DA-2BC74CCFED7D@mac.com> References: To: David van Rensburg - PC Network X-Mailer: Apple Mail (2.1084) Cc: "freebsd-ipfw@freebsd.org" Subject: Re: ipfw and nat problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 19:32:50 -0000 On Jul 18, 2011, at 10:41 AM, David van Rensburg - PC Network wrote: > Ive been having a problem with ipfw and nat. I can get nat to work but I want the following: > My lan must only have access to outgoing port 80 For web access to be useful for most cases, you also need to permit 443 for HTTPS. > I want to be able to allow some lan users access to ftp and outgoing 3389 (remote desktop), but by default only port 80 > I have transparent proxy work in ipfw. > I want to be able to limit outgoing and incoming to the freebsd server according to port. > I want a default deny. You haven't mentioned anything about DNS, NTP, SMTP & POP3/IMAP. For web access or remote desktop to function, you'll need to permit DNS traffic so they can find the machines they are connecting to. And most networks want to have network time and email working. > ANY help or point me in the right direction would be great. I have been googling for a week now and cant find anything similar. Most examples don't use a default deny and don't allow certain services to the lan users. Start with: http://www.freebsd.org/doc/handbook/firewalls-ipfw.html ...and the books recommended in /etc/rc.firewall: # If you don't know enough about packet filtering, we suggest that you # take time to read this book: # # Building Internet Firewalls, 2nd Edition # Brent Chapman and Elizabeth Zwicky # # O'Reilly & Associates, Inc # ISBN 1-56592-871-7 # http://www.ora.com/ # http://www.oreilly.com/catalog/fire2/ # # For a more advanced treatment of Internet Security read: # # Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition # William R. Cheswick, Steven M. Bellowin, Aviel D. Rubin # # Addison-Wesley / Prentice Hall # ISBN 0-201-63466-X # http://www.pearsonhighered.com/ # http://www.pearsonhighered.com/educator/academic/product/0,3110,020163466X,00.html Regards, -- -Chuck