From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 9 02:18:28 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B75B116A4CE for ; Tue, 9 Mar 2004 02:18:28 -0800 (PST) Received: from enterprise.chester.ac.uk (enterprise.chester.ac.uk [194.80.193.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0045543D2D for ; Tue, 9 Mar 2004 02:18:28 -0800 (PST) (envelope-from h.blackman@chester.ac.uk) Received: from web (opaccL19.chester.ac.uk [194.80.193.19]) by enterprise.chester.ac.uk (8.10.1/8.10.1) with SMTP id i29AIQI97827 for ; Tue, 9 Mar 2004 10:18:27 GMT Message-ID: <009e01c405bf$e04e5960$13c150c2@chester.ac.uk> From: "Henry Blackman" To: Date: Tue, 9 Mar 2004 10:18:32 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Captive Portal Help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2004 10:18:28 -0000 Hello. I run a residential network at Chester College for students who live on campus. We use FreeBSD 4.9 to do NAT to manage the network and the authentication with captive portal type technologies. My problem is, is that currently the "firewall" is open, by default, so we're getting lots of MPAA notices because our students are sharing with Kazaa(!). What I want to do is close it to allow only web, MSN, AIM, RTSP and a few other things so we can really clamp down on their activities. The problem is however is that I have rules that work for our captive portal, but I'm clueless at how to get them to disallow all other traffic. I've included them here, but does anyone have any idea how to change them to disallow everything other than known ports? 00050 divert 8668 ip from any to any via em0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00398 allow icmp from any to 194.80.193.232 00399 allow icmp from 194.80.193.232 to any 00400 deny icmp from any to any Every student (that is authorised) has an entry like this: 49998 skipto 64998 ip from 172.16.122.187 to any Then these lines to deal with forcing webtraffic through dansguardian (and squid): 64993 fwd 172.16.120.1,8080 tcp from 172.16.120.0/22 to any 80,8080 64994 fwd 172.16.120.1,443 tcp from 172.16.120.0/22 to any 443 64995 allow tcp from 172.16.120.0/22 to 172.16.120.0/22 8080 64996 allow udp from 172.16.120.0/22 to any 53 64997 deny ip from 172.16.120.0/22 to any 64998 allow tcp from 195.195.128.195 to any 64999 fwd 127.0.0.1,8082 log logamount 100 tcp from any to any 80 65000 allow ip from any to any 65535 deny ip from any to any Does anyone know how I might change the rules to, instead of allowing IP from any to any, to deny ip from any to any, excepting the rules I put in for ports for the above services. I've tried deleting 65000 and adding specific rules with appropriate ports, but then nothing works. TIA, Henry