From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 16 14:20:05 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 222D216A4CE for ; Fri, 16 Apr 2004 14:20:05 -0700 (PDT) Received: from flock1.newmail.ru (morda.newmail.ru [212.48.140.150]) by mx1.FreeBSD.org (Postfix) with SMTP id C041143D48 for ; Fri, 16 Apr 2004 14:20:03 -0700 (PDT) (envelope-from IgorPopov@NewMail.RU) Received: (qmail 3416 invoked from network); 16 Apr 2004 21:14:28 -0000 Received: from unknown (HELO unix.freebsd.ru) (igorpopov.newmail.ru@217.168.68.115) by smtpd.newmail.ru with SMTP; 16 Apr 2004 21:14:28 -0000 Received: from localhost (localhost [127.0.0.1]) by unix.freebsd.ru (8.12.11/8.12.11) with ESMTP id i3H0Kx2L001252 for ; Sat, 17 Apr 2004 00:21:02 GMT (envelope-from IgorPopov@NewMail.RU) From: Igor Popov Organization: Home To: ipfw@freebsd.org Date: Sat, 17 Apr 2004 00:20:59 +0000 User-Agent: KMail/1.6.1 MIME-Version: 1.0 Content-Disposition: inline Message-Id: <200404170020.59722.IgorPopov@NewMail.RU> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: natd and squid in jail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2004 21:20:05 -0000 Hi, I have home network, that consits of two macines, the first one (freebsd) has dialup access to inet. Squid runs on freebsd to allow access to inet from my second machin. For sake of experiment I tried to run squid in jail. But it doesn't work with inet with ipfw and natd, but it works fine with ipfilter and ipnat and OpenBSD's pf. There are my ipfw rules: fwcmd="/sbin/ipfw -q" # Force a flushing of the current rules before we reload. $fwcmd -f flush #automated anti-spoofing $fwcmd add deny log ip from any to any not verrevpath in recv ng0 #natd $fwcmd add divert natd all from any to any via ng0 # Allow all localhost connections $fwcmd add allow all from any to any via lo0 $fwcmd add deny log all from any to 127.0.0.0/8 $fwcmd add deny log all from 127.0.0.0/8 to any # Allow all connections that have dynamic rules built for them, # but deny established connections that don't have a dynamic rule. # See ipfw(8) for details. $fwcmd add check-state $fwcmd add deny tcp from any to any established # Allow all connections from my network card that I initiate $fwcmd add allow tcp from me to any out xmit any setup keep-state $fwcmd add deny tcp from me to any $fwcmd add allow ip from me to any out xmit any keep-state # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to me 113 in recv any # Enable ICMP $fwcmd add deny log icmp from any to me icmptypes 8,13 $fwcmd add allow icmp from me to any keep-state #enable access for squid via localnet $fwcmd add allow tcp from 192.168.1.0/24 to me dst-port 3128 in recv rl0 setup keep-state # Enable IPSec $fwcmd add allow log udp from any to me src-port isakmp dst-port isakmp via rl0 keep-state $fwcmd add allow esp from any to any via rl0 $fwcmd add allow ah from any to any via rl0 # Deny all the rest. $fwcmd add deny log ip from any to any rl0: 192.168.1.1 mask 0xffffff00, 192.168.1.2 mask 0xffffff80 when I do `ipfw -d show` or `tcpdump - ng0`, I see that squid begins connection and there is a respond, but it can't achieve to squid. -- Ten years of rejection slips is nature's way of telling you to stop writing. -- R. Geis