Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 17 Apr 2004 00:20:59 +0000
From:      Igor Popov <IgorPopov@NewMail.RU>
Subject:   natd and squid in jail
Message-ID:  <200404170020.59722.IgorPopov@NewMail.RU>

Next in thread | Raw E-Mail | Index | Archive | Help
I have home network, that consits of two macines, the first one (freebsd) has 
dialup access to inet. Squid runs on freebsd to allow access to inet from my 
second machin. For sake of experiment I tried to run squid in jail. But it 
doesn't work with inet with ipfw and natd, but it works fine with ipfilter 
and ipnat and OpenBSD's pf.
There are my ipfw rules:
fwcmd="/sbin/ipfw -q"

# Force a flushing of the current rules before we reload.
$fwcmd -f flush

#automated anti-spoofing
$fwcmd add deny log ip from any to any not verrevpath in recv ng0

$fwcmd add divert natd all from any to any via ng0

# Allow all localhost connections
$fwcmd add allow all from any to any via lo0
$fwcmd add deny  log all from any to
$fwcmd add deny  log all from to any

# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
# See ipfw(8) for details.
$fwcmd add check-state
$fwcmd add deny  tcp from any to any established

# Allow all connections from my network card that I initiate
$fwcmd add allow tcp from me to any out xmit any setup keep-state
$fwcmd add deny  tcp from me to any
$fwcmd add allow ip  from me to any out xmit any keep-state

# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to me 113 in recv any

# Enable ICMP
$fwcmd add deny  log icmp from any to me icmptypes 8,13
$fwcmd add allow icmp from me to any keep-state

#enable access for squid via localnet
$fwcmd add allow tcp from to me dst-port 3128 in recv rl0 setup 

# Enable IPSec
$fwcmd add allow log udp from any to me src-port isakmp dst-port isakmp via 
rl0 keep-state
$fwcmd add allow esp from any to any via rl0
$fwcmd add allow ah  from any to any via rl0

# Deny all the rest.
$fwcmd add deny log ip from any to any

rl0: mask 0xffffff00, mask 0xffffff80
when I do `ipfw -d show` or `tcpdump - ng0`, I see that squid begins 
connection and there is a respond, but it can't achieve to squid.

Ten years of rejection slips is nature's way of telling you to stop
		-- R. Geis

Want to link to this message? Use this URL: <>