Date: Sun, 7 Nov 2004 19:52:16 -0500 From: "Ara" <ara@avvali.com> To: "'David Banning'" <david@skytrackercanada.com> Cc: freebsd-questions@freebsd.org Subject: RE: ipfw allowing browser only Message-ID: <20041108005228.5F90F43D4C@mx1.FreeBSD.org> In-Reply-To: <20041108001519.GB73403@skytrackercanada.com>
next in thread | previous in thread | raw e-mail | index | archive | help
So you only want to allow web access (http) and nothing else? The problem comes when the user is smart enough to get around the proxy access and use the proxy setting on messenger to use http traffic bypassing deny rule. Create deny rules based on this which might help AOL IM login.oscar.aol.com Default Port: 5190 64.12.161.153 64.12.161.185 64.12.200.89 205.188.179.233 ICQ login.icq.com Default Port: 5190 64.12.162.153 64.12.162.185 64.12.200.89 205.188.179.233 MSN Messenger 207.46.104.20 gateway.messenger.hotmail.com 64.4.13.171 http1.msgr.hotmail.com .. .. .. .. .. .. .. .. 64.4.13.190 http20.msgr.hotmail.com .. .. .. .. Yahoo cs.yahoo.com Default Port: 5050 216.136.175.145 216.136.224.213 216.136.224.214 216.136.225.11 216.136.225.12 216.136.225.35 216.136.225.36 216.136.225.83 216.136.225.84 216.136.226.117 216.136.226.118 216.136.131.93 216.136.175.142 216.136.175.143 216.136.175.144 216.136.233.128 (latest) -----Original Message----- From: David Banning [mailto:david@skytrackercanada.com] Sent: November 7, 2004 7:15 PM To: Ara; questions@freebsd.org Subject: Re: ipfw allowing browser only > Hello > You only need tcp 80 on regular http and 443 for ssl, https > I don't get what exactly are you trying to do? Are you publishing a web > server to external clients behind a firewall? Any diagram text would be nice This is simply to block all on the network from using any port except 80. I want to block Messenger. If it starts running on port 80 then I am told I can block it via squid/dansguardian. Internet <> router server <filtered only port 80> client winbox (192.168.1.6) > > Internet <> router (192.168.1.6) <> webserver(192.168.1.1) > Is this right? Yes. > > > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of David Banning > Sent: November 7, 2004 1:57 PM > To: questions@freebsd.org > Subject: ipfw allowing browser only > > I am trying to filter out all traffic except browser traffic. > So I tried > > 01000 allow tcp from any to 192.168.1.6 80 > 01100 allow udp from any to 192.168.1.6 80 > 01200 deny ip from any to 192.168.1.6 > 65535 allow ip from any to any > > But this does not allow browser traffic. > > I have my browser traffic redirected via ipnat - ipnat rules are; > > rdr dc0 127.0.0.1/0 port 80 -> 192.168.1.1 port 8180 tcp > > I don't know what comes first, the redirect or the firewall, so maybe > I should be allowing traffic to 8180? > > My host is 192.168.1.1 and the win browser is at 192.168.1.6 > > Any help here would be appreciated. > > -- > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041108005228.5F90F43D4C>