Date: Mon, 30 Aug 1999 10:50:03 -0400 (EDT) From: Will Andrews <andrews@TECHNOLOGIST.COM> To: Jonkers Marc <marc.jonkers@mansveld.nl> Cc: "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG> Subject: RE: Firewall Message-ID: <XFMail.990830105003.andrews@TECHNOLOGIST.COM> In-Reply-To: <3CD9FB4A04A9D111B2CF0060B0671925221FF6@MAN1>
next in thread | previous in thread | raw e-mail | index | archive | help
On 30-Aug-99 Jonkers Marc wrote:
>
> Is it possible to restrict a sertain internal ip adres (192.168.168.101)
> to a site on the web?
> Ip number 192.168.168.101 may only surf on www.tu.nl and www.wolf.nl.
>
> We have a FreeBSD firewall configured with IPFW in rc.firewall.
> What lines must we add?
Simple. Let's assume the following network configuration:
192.168.168.101 -> FreeBSD server -> Net
Now, assume you have two internet interfaces (i.e., NIC's or tun0, or ppp0). In
/etc/rc.firewall:
oif=tun0
iif=fxp0
fwcmd=/sbin/ipfw
wwwtunnl=`nslookup www.tun.nl`
wwwwolf=`nslookup www.wolf.nl`
$fwcmd add 100 allow tcp from ${wwwtunnl} 80 to 192.168.168.101 via ${iif}
$fwcmd add 200 allow tcp from ${wwwwolf} 80 to 192.168.168.101 via ${iif}
$fwcmd add 300 allow tcp from any 80 to not 192.168.168.101 via ${iif}
$fwcmd add 400 deny tcp from any 80 to 192.168.168.101 via ${iif}
You basically cut them off from ever contacting other servers to begin with. But
note a few assumptions here:
1) That IP address for your local machine never changes.
2) All webservers use port 80. (which they do not.)
You could cover more webservers by blocking off port 443 (https), port 8080
(popular substitute port), and maybe others?
It's not really possible to block off every site on earth (maybe through
browser configuration?), but you can block 99% of them.
--
Will Andrews <andrews@technologist.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.990830105003.andrews>