Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Mar 2004 09:23:18 -0000
From:      "Henry Blackman" <h.blackman@chester.ac.uk>
To:        <freebsd-questions@freebsd.org>
Subject:   IPFW & NAT Help
Message-ID:  <002701c41181$a4bbf010$13c150c2@chester.ac.uk>

next in thread | raw e-mail | index | archive | help
Hello Everyone.

I really some help with my IPFW setup.  I'm using FreeBSD 4.9 and IPFW (not
2).  The background is I run a residential network for students on campus,
where the FreeBSD box sits between their LAN, and the rest of College (and
therefore the Internet).  We are having terrible trouble with file sharing
(amongst other things), so the decision has been made to block by default.

We have a complicated setup however: we authenticate users by the use of a
captive portal (with IPFW rules), once they are authenticated, a rule is
added to IPFW.  We NAT at the same time.  We also have a transparent Squid
proxy.  You can imagine my pain.

The public facing interface is em0 and private is em1

Here's the ruleset:

00050   0      0 divert 8668 ip from any to any via em0
00100   0      0 allow ip from any to any via lo0
00200   0      0 deny ip from any to 127.0.0.0/8
00300   0      0 deny ip from 127.0.0.0/8 to any
00301   0      0 deny tcp from any to any 25
00400   0      0 deny icmp from any to any

Then for every authorised student a line like this (there are a hundred or
so):

49389   0      0 skipto 64998 ip from 172.16.122.160 to any

Then these rules for captive portal:

64993   0      0 fwd 172.16.120.1,8080 tcp from 172.16.120.0/22 to any
80,8080
64994   0      0 fwd 172.16.120.1,443 tcp from 172.16.120.0/22 to any 443
64995   0      0 allow tcp from 172.16.120.0/22 to 172.16.120.0/22 8080
64996   0      0 allow udp from 172.16.120.0/22 to any 53
64997   0      0 deny ip from 172.16.120.0/22 to any

Then these for transparent proxy and everything else:

64998   0      0 allow tcp from 195.195.128.195 to any
64999   0      0 fwd 127.0.0.1,8082 log logamount 100 tcp from any to any 80
65000   0      0 allow ip from any to any
65535   0      0 deny ip from any to any


The question is, how do I add a bunch of rules to allow only web and POP
mail traffic.  So I want the students to do web, and POP mail only...
obviously I'll add more, but these two rules will get me started.

TIA,
Henry



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002701c41181$a4bbf010$13c150c2>