Date: Tue, 4 Oct 2005 15:04:03 -0500 From: Hugo Osorio <osorio.hugo@gmail.com> To: ipfw@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: mime contents thru ipfw Message-ID: <680ac8470510041304o20e8627ap@mail.gmail.com> In-Reply-To: <680ac847050926064125be4e0@mail.gmail.com> References: <680ac84705082407576dd2f6b4@mail.gmail.com> <20050825084039.GH659@obiwan.tataz.chchile.org> <680ac84705082507486347b67@mail.gmail.com> <680ac847050922171856ed2904@mail.gmail.com> <43334E81.9080707@mac.com> <680ac84705092309007d69b088@mail.gmail.com> <43342E8E.6060004@mac.com> <680ac847050926064125be4e0@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I HAVE WRITTEN ipfw add pass tcp from 172.24.33.0/24 <http://172.24.33.0/24>; to myproxy 80 INSTEAD OF ipfw add pass tcp from 172.24.33.0/24 <http://172.24.33.0/24>; to myproxy 80 keep-state and it has worked... that was the solution i was looking for months ago. :(( 2005/9/26, Hugo Osorio <osorio.hugo@gmail.com>: > > I have seen that "open rule" is insecure, and i wouldn't like to use it..= . > i want to continue trying to find the closed port, with this policy... th= ere > must be something somewhere... so... i will continue bothering. sorry i a= m a > beginner, here are some conversations in the past that weren't submitted = to > the group. > ------------------ > Proxy is an cache server. If u dont need , not use. If u want to use > proxy for caching web traffic and force this traffic throught proxy,u can > do that with fwd option in ipfw > example: > ipfw fwd $ip_proxy,$port_proxy tcp from not me to any 80 in via > $private_interface > > This not affect in any way functionality for mail aplication (that > work in case of pop3 with 25 respectively 110 ports). > If u acces mail via web, this work well with proxy. > If still have problem, i'm sure is because configuration of proxy > (think use squid). I this case u need some options to permit > "connect" method. I dont remember now how look exactly. > ---------------------- > I have done this.. at the command line, > > ipfw add fwd 172.25.1.5 <http://172.25.1.5/>,80 tcp from not me to any 80 > in via vr0 > 04200 fwd 172.25.1.5 <http://172.25.1.5/>,80 tcp from not me to any 80 in > recv vr0 > > also > > ipfw add fwd 172.2X.X.X,80 tcp from 17X.XX.XX.0/24 to any 80 in via vr0 > > nothing happens.. i do see traffic, but very little.. > > this should refresh it ? i mean, this rule is active immediately? because > i can not do attachments yet.. not even showing my message list in yahoo.= . (http://e1.f405.mail.yahoo.com/ym/ShowFolder?YY=3D29820&box=3DInbox&YN=3D= 1 > ) > > Proxy is Proxy server 2.0 microsoft, > > I have unset the firewall, and i have plugged the router directly to the > switch.. and all is fine, so i am almost sure the hassle is in the fw, > > thx > --------------------------------------------- > I have two proxies available, and in the machine where i have the fw ther= e > are routes created, for routing one proxy or another... 172.25.x.x or > 172.24.x.x > > with the .24.x.x proxy dont have any hassle.. > but i do with the 25.x.x > > >You have to redirect the whole HTTP traffic to the proxy, or nothing. > >You can't decide on layer 7 content. > > what do you recommend me to do first? > ---------------------------------------------- > > > 2005/9/23, Chuck Swiger <cswiger@mac.com>: > > > > Hugo Osorio wrote: > > > gracias, > > > > > > our (172.24.33.0 <http://172.24.33.0>; <http://172.24.33.0>) LAN goes > > to internet through two > > > proxies, the new proxy which is the one i am trying to set up, is in > > another > > > network we have set routes to that LAN, (172.25.1.0<http://172.25.1.0= >< > > http://172.25.1.0>) > > > > OK. > > > > > -is it inappropriate to put these address here? i hope not :s > > > > No. I was confused by the "<http://172.24.33.0>" strings, which someone > > said > > may be something to do with gmail.com <http://gmail.com>. > > > > > in order to be protected, we have set a firewall in this way: > > > > > > LAN(172.24.33.0 <http://172.24.33.0>; <http://172.24.33.0>) --> SWITCH > > --> fw --> Router( > > > 172.25.19.X) --> proxy( 172.25.1.5 <http://172.25.1.5>; < > > http://172.25.1.5>) > > > > OK. You should start by testing access through the proxy server when > > logged > > onto your firewall box. If that doesn't work, debug your router or your > > network routes. > > > > > i have the other conf (using another proxy, another network) without > > the > > > string 'http://' and it works, and transfer everything. > > > and besides, using the new proxy, without the 'http://' string, it > > shows > > > bytes activity in 'ipfw show', i mean i can enter sites. > > > > > > For using "open firewall ruleset" do you have any basic document? > > > > > > another hint or help, will be appreciated, thank you. > > > > Look at /etc/rc.firewall and the "open" ruleset there. > > > > See: > > > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.htm= l > > > > > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf= w.html > > > > ...which i!=3Du=19ailable translated to other languages, also. > > > > -- > > -Chuck > > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?680ac8470510041304o20e8627ap>