Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 Mar 2004 10:18:32 -0000
From:      "Henry Blackman" <>
To:        <>
Subject:   Captive Portal Help
Message-ID:  <009e01c405bf$e04e5960$>

Next in thread | Raw E-Mail | Index | Archive | Help

I run a residential network at Chester College for students who live on
campus.  We use FreeBSD 4.9 to do NAT to manage the network and the
authentication with captive portal type technologies.

My problem is, is that currently the "firewall" is open, by default, so
we're getting lots of MPAA notices because our students are sharing with
Kazaa(!).  What I want to do is close it to allow only web, MSN, AIM, RTSP
and a few other things so we can really clamp down on their activities.

The problem is however is that I have rules that work for our captive
portal, but I'm clueless at how to get them to disallow all other traffic.
I've included them here, but does anyone have any idea how to change them to
disallow everything other than known ports?

00050  divert 8668 ip from any to any via em0
00100  allow ip from any to any via lo0
00200  deny ip from any to
00300  deny ip from to any
00398  allow icmp from any to
00399  allow icmp from to any
00400  deny icmp from any to any

Every student (that is authorised) has an entry like this:
49998  skipto 64998 ip from to any

Then these lines to deal with forcing webtraffic through dansguardian (and
64993  fwd,8080 tcp from to any 80,8080
64994  fwd,443 tcp from to any 443
64995  allow tcp from to 8080
64996  allow udp from to any 53
64997  deny ip from to any
64998  allow tcp from to any
64999  fwd,8082 log logamount 100 tcp from any to any 80
65000  allow ip from any to any
65535  deny ip from any to any

Does anyone know how I might change the rules to, instead of allowing IP
from any to any, to deny ip from any to any, excepting the rules I put in
for ports for the above services.  I've tried deleting 65000 and adding
specific rules with appropriate ports, but then nothing works.


Want to link to this message? Use this URL: <$e04e5960$13c150c2>