From owner-freebsd-questions@FreeBSD.ORG Mon Nov 8 00:52:28 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A3AA16A4CE for ; Mon, 8 Nov 2004 00:52:28 +0000 (GMT) Received: from host220.ipowerweb.com (host220.ipowerweb.com [66.235.203.181]) by mx1.FreeBSD.org (Postfix) with SMTP id 5F90F43D4C for ; Mon, 8 Nov 2004 00:52:28 +0000 (GMT) (envelope-from ara@avvali.com) Received: (qmail 60683 invoked from network); 8 Nov 2004 00:51:28 -0000 Received: from unknown (HELO binbinilqygidj) (69.193.88.144) by host220.ipowerweb.com with SMTP; 8 Nov 2004 00:51:28 -0000 From: "Ara" To: "'David Banning'" Date: Sun, 7 Nov 2004 19:52:16 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <20041108001519.GB73403@skytrackercanada.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181 Thread-Index: AcTFJ/gYunE07abITR+275NiUnd7cwAA9Gow Message-Id: <20041108005228.5F90F43D4C@mx1.FreeBSD.org> cc: freebsd-questions@freebsd.org Subject: RE: ipfw allowing browser only X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 00:52:28 -0000 So you only want to allow web access (http) and nothing else? The problem comes when the user is smart enough to get around the proxy access and use the proxy setting on messenger to use http traffic bypassing deny rule. Create deny rules based on this which might help AOL IM login.oscar.aol.com Default Port: 5190 64.12.161.153 64.12.161.185 64.12.200.89 205.188.179.233 ICQ login.icq.com Default Port: 5190 64.12.162.153 64.12.162.185 64.12.200.89 205.188.179.233 MSN Messenger 207.46.104.20 gateway.messenger.hotmail.com 64.4.13.171 http1.msgr.hotmail.com .. .. .. .. .. .. .. .. 64.4.13.190 http20.msgr.hotmail.com .. .. .. .. Yahoo cs.yahoo.com Default Port: 5050 216.136.175.145 216.136.224.213 216.136.224.214 216.136.225.11 216.136.225.12 216.136.225.35 216.136.225.36 216.136.225.83 216.136.225.84 216.136.226.117 216.136.226.118 216.136.131.93 216.136.175.142 216.136.175.143 216.136.175.144 216.136.233.128 (latest) -----Original Message----- From: David Banning [mailto:david@skytrackercanada.com] Sent: November 7, 2004 7:15 PM To: Ara; questions@freebsd.org Subject: Re: ipfw allowing browser only > Hello > You only need tcp 80 on regular http and 443 for ssl, https > I don't get what exactly are you trying to do? Are you publishing a web > server to external clients behind a firewall? Any diagram text would be nice This is simply to block all on the network from using any port except 80. I want to block Messenger. If it starts running on port 80 then I am told I can block it via squid/dansguardian. Internet <> router server client winbox (192.168.1.6) > > Internet <> router (192.168.1.6) <> webserver(192.168.1.1) > Is this right? Yes. > > > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of David Banning > Sent: November 7, 2004 1:57 PM > To: questions@freebsd.org > Subject: ipfw allowing browser only > > I am trying to filter out all traffic except browser traffic. > So I tried > > 01000 allow tcp from any to 192.168.1.6 80 > 01100 allow udp from any to 192.168.1.6 80 > 01200 deny ip from any to 192.168.1.6 > 65535 allow ip from any to any > > But this does not allow browser traffic. > > I have my browser traffic redirected via ipnat - ipnat rules are; > > rdr dc0 127.0.0.1/0 port 80 -> 192.168.1.1 port 8180 tcp > > I don't know what comes first, the redirect or the firewall, so maybe > I should be allowing traffic to 8180? > > My host is 192.168.1.1 and the win browser is at 192.168.1.6 > > Any help here would be appreciated. > > -- > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > --