From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 17 05:18:56 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CBE6F106566B for ; Tue, 17 Nov 2009 05:18:56 +0000 (UTC) (envelope-from bbayorgeon@charter.net) Received: from que11.charter.net (que11.charter.net [209.225.8.21]) by mx1.freebsd.org (Postfix) with ESMTP id 850168FC0C for ; Tue, 17 Nov 2009 05:18:56 +0000 (UTC) Received: from imp09 ([10.20.200.9]) by mta31.charter.net (InterMail vM.7.09.02.04 201-2219-117-106-20090629) with ESMTP id <20091117045305.CONM1847.mta31.charter.net@imp09> for ; Mon, 16 Nov 2009 23:53:05 -0500 Received: from DadsDesktop ([66.191.61.171]) by imp09 with smtp.charter.net id 64sr1d00K3hghpu054t2fo; Mon, 16 Nov 2009 23:53:02 -0500 X-Authority-Analysis: v=1.0 c=1 a=_43gbtA45zeePN2gEmIA:9 a=lbxWwxbXWAQTBGJLG44A:7 a=wADkAsoDjZYWA9rYs3a3ylxnV3UA:4 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=fkFEOGKmwW5qSvoXCRMA:9 a=QEupBJ511c4bt2gBJdwA:7 a=ZCzAt7rEzDUK_vXQj-0nebuW-UwA:4 From: "Brian" To: Date: Mon, 16 Nov 2009 22:51:44 -0600 Message-ID: <000001ca6741$b1316520$13942f60$@net> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcpnQag5QUF/BmYKQKSJb8D6ea/KLw== Content-Language: en-us x-cr-puzzleid: {19D2E13D-3858-4215-A715-42EBEAE5B814} x-cr-hashedpuzzle: c8k= ATLE Azm2 BHT3 Bo+O BshC DGzV DKoj EHOF FX3Y G6ZI IZJl Iv5T JjYF KrIO LDc6; 1; ZgByAGUAZQBiAHMAZAAtAGkAcABmAHcAQABmAHIAZQBlAGIAcwBkAC4AbwByAGcA; Sosha1_v1; 7; {19D2E13D-3858-4215-A715-42EBEAE5B814}; YgBiAGEAeQBvAHIAZwBlAG8AbgBAAGMAaABhAHIAdABlAHIALgBuAGUAdAA=; Tue, 17 Nov 2009 04:51:42 GMT; RABhAG4AcwBnAHUAYQByAGQAaQBhAG4ALAAgAG4AYQB0ACwAIAAmACAAaQBwAGYAdwA= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Dansguardian, nat, & ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2009 05:18:57 -0000 Hello all Trying to configure my gateway box running FBSD 7.2 to provide content filtering services for some or all clients on a my network. The box is configured with natd and running IPFW. I like this combination and have been using it successfully for years. Not real interested to changing to squid or pf or whatever else may be known (or better documented) to work with dansguardian. Dansguardian seems to be the preferred option for content filtering as near as I can tell. There is lots of documentation out there for configuring dans with squid. I can't find much of anything for IPFW / NAT So, the question is, can this be done? I've seen one or two suggestions out there giving a brief description of how to use the fwd command to send packets to dans but unfortunately I am not smart enough to implement that here. Any help, thoughts, or references would be appreciated thanks Brian here is a boiled down set of rules that I use: #!/bin/sh cmd="ipfw add" skip="skipto 700" oif=dc0 iif=re0 log="log logamount 1000" ks="keep-state" ipfw -f flush $cmd 098 allow all from any to any via $iif # Allow LAN traffic $cmd 099 allow all from any to any via lo0 # Allow loopback traffic $cmd 105 divert natd all from any to any in via $oif # check if packet is inbound and nat address if it is $cmd 110 check-state # Allow packet if it has previous been added to the "dynamic" rules table ### Authorized icmp / udp outbound packets $cmd 200 $skip icmp from any to any out via $oif $ks # ping $cmd 201 $skip udp from any to any 123 out via $oif $ks # time $cmd 203 $skip $log udp from any to xx.xxx.xx.1 67 out via $oif $ks # DHCP $cmd 205 $skip udp from any to any 53 out via $oif $ks # DNS ### Authorized tcp outbound packets $cmd 301 $skip tcp from any to any 25 out via $oif setup $ks # mail $cmd 303 $skip $log tcp from any to any 43 out via $oif setup $ks # whois $cmd 305 $skip tcp from any to any 80 out via $oif setup $ks # http $cmd 306 $skip tcp from any to any 110 out via $oif setup $ks # mail $cmd 307 $skip tcp from any to any 119 out via $oif setup $ks # USENET $cmd 308 $skip tcp from any to any 443 out via $oif setup $ks # Secure http $cmd 310 $skip $log tcp from any to any 23 out via $oif setup $ks # telnet ### Everything else outbound is dropped and logged $cmd 351 deny log logamount 10000 all from any to any out via $oif # everything else ### Allow these incoming connections $cmd 360 allow $log udp from xx.xxx.xxx.x to any 68 in via $oif $ks # DHCP $cmd 363 allow tcp from any to me 80 in via $oif setup $ks # Incoming http connections ### May Consider Allowing these incoming connections $cmd 396 allow $log tcp from any to any 113 in via $oif limit src-addr 4 # Ident packets. $cmd 398 allow $log icmp from any to any icmptype 3,11 in via $oif limit src-addr 2 # Allow out & in console traceroot command ### deny various incoming packets $cmd 401 deny $log all from 192.168.0.0/16 to any in via $oif # RFC 1918 private IP $cmd 402 deny $log all from 172.16.0.0/12 to any in via $oif # RFC 1918 private IP $cmd 403 deny $log all from 10.0.0.0/8 to any in via $oif # RFC 1918 private IP $cmd 404 deny $log all from 127.0.0.0/8 to any in via $oif # loopback $cmd 405 deny $log all from 0.0.0.0/8 to any in via $oif # loopback $cmd 406 deny $log all from 169.254.0.0/16 to any in via $oif # DHCP auto-config $cmd 407 deny $log all from 192.0.2.0/24 to any in via $oif # reserved for docs $cmd 408 deny $log all from 204.152.64.0/23 to any in via $oif # Sun cluster $cmd 409 deny $log all from 224.0.0.0/3 to any in via $oif # Class D & E multicast ### deny various incoming packets $cmd 448 reset $log tcp from any to me 113 in via $oif limit src-addr 4 # This sends a RESET to all ident packets. $cmd 449 deny $log tcp from any to any 113 in via $oif # Deny ident $cmd 450 deny $log icmp from any to any icmptype 5 in via $oif # Stop & log external redirect requests. $cmd 451 deny $log icmp from any to any in via $oif # Deny pings from the world $cmd 452 deny $log all from any to any in frag # Fragmented Packets $cmd 453 deny $log all from any to any 137,138,139,81 in via $oif # Deny all Netbios service & MS/Windows hosts2 name server $cmd 454 deny $log all from any to any frag in via $oif # Deny any late arriving packets $cmd 455 deny $log tcp from any to any established in via $oif # Deny ACK packets that did not match the dynamic rule table $cmd 456 deny $log all from me to me in via $oif # Stop & log spoofing Attack attempts. $cmd 457 deny all from any to any 1024-1030 in via $oif # MS Messenger spam ### Reject & Log all the rest of the incoming connections $cmd 600 deny log logamount 10000 all from any to any in via $oif ### deny and log all packets that fell through to see what they are ### Nothing should ever get to this rule!!! $cmd 601 deny log logamount 10000 all from any to any ### This is skipto location for outbound stateful rules $cmd 700 divert natd all from any to any out via $oif $cmd 800 allow all from any to any