Date: Wed, 07 Jan 2004 20:48:24 +0000 From: Ben Quick <general@benquick.f9.co.uk> To: freebsd-questions@freebsd.org Subject: Re: IPFW confusion Message-ID: <3FFC7098.9090704@benquick.f9.co.uk> In-Reply-To: <200401072031.CAA23216@manage.24online> References: <200401072031.CAA23216@manage.24online>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Subhro, Thanks for your reply The reason I want the server to route between the internal network and the router is because I only want to allow specific clients out onto the internet, and I can't see how to do this with the router I've got. Plus, it's a good excuse to try to learn something new :-) You say it's expected that I can't ping. It's things like this that confuse me, due to lack of understanding on my part, I've allowed all traffic through. Of so I thought... I've had a quick skim of the HOWTO, and it seems informative. But, it's still the IPFW rules that get me all confused Ben Subhro wrote: >Hi Ben, > >First of all I must say you explained your requirements very well. Not many >people can precisely say what they need. Bravo! > >Let's get to the point now. First of all I d don't find a good reason why >you would like to introduce your system (192.168.0.10) (Lets call it server) >to work as a router although you have a dedicated router. You can be well >off adding routes in the D-Link and be off with it. If you really want to >live with your current setup, then you must decide whether you want to go >with NAT or with transparent proxy. With your current setup, it is perfectly >all right that you can't ping any external hosts. I would recommend that you >go with NAT guarded by ipfw at the server. But you may also go with >transparent proxy as it has its own advantages. Refer to the following page: > >http://www.erudition.net/freebsd/NAT-HOWTO > >This has a really good tutorial on setting up NAT > >Regards >Subhro > >Subhro Sankha Kar >Indian Institute of Information Technology >Block AQ-13/1, Sector V >Salt Lake City >PIN 700091 >India > >-----Original Message----- >From: owner-freebsd-questions@freebsd.org >[mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Ben Quick >Sent: Wednesday, January 07, 2004 11:05 PM >To: freebsd-questions@freebsd.org >Subject: IPFW confusion > >Hello all, > I've been hunting around for information on IPFW, and how to set up the >rules I require. I found a tutorial that seemed to fit my needs: >http://www.mostgraveconcern.com/freebsd/ipfw.html > >However, I can't get the config to work. I've commented out all the deny >rules. In this instance, I can browse the web via SQUID that's installed >on the IPFW box. I can't browse the web directly, though. That is the >only external access I get. I can't ping any sites, DNS lookups fail >(I've set the DNS servers on the client workstation to be that my ISP's. >I also tried setting it to look at the IPFW box first, with no luck) > >Can anyone offer help on this one? I'm getting stuck in a muddle of >mis-understanding > >My setup is as follows > >Internal LAN is 192.168.0.x >IPFW machine has 2 NIC's: >rl0: 192.168.0.10 >rl1: 172.16.200.10 >rl1 connects directly to my DSL router (D-Link 504) which has an >internal IP of 172.16.200.1 along with it's public IP on the DSL port > >The ruleset I'd like is as follows > >For client IP's of 192.168.0.1 - 192.168.0.20 allow the following >HTTP \ HTTPS - But not directly, force them to use SQUID (Listening on >port 8080, and using squidGuard for content filtering) >POP3 - But, only so far as pop.myisp.com >IMAP - But, only so far as imap.myisp.com >SMTP - But, only so far as smtp.myisp.com >DNS lookups - But, only with ns1.myisp.com and ns2.myisp.com >NNTP - But, only so far as news.myisp.com >FTP - To anywhere > >For client IP's of 192.168.0.21 - 192.168.0.254 no access to anything >external to the 192.168.0.x network should be granted > >I'd like the IPFW box and 192.168.0.1 to be able to SSH out to anywhere. > >I'd like to allow SSH inbound from a specific IP to be directed at the >IPFW box (The port forwarding can be done with the DSL router) - SSH >isn't currently listening on that interface, I'll get to that later :) > >Does this sound like a reasonable ruleset? Is anyone willing to help me >generate it? > >Thanks >Ben > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FFC7098.9090704>