From owner-freebsd-questions@FreeBSD.ORG Wed Mar 24 01:23:16 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19C3916A4CE for ; Wed, 24 Mar 2004 01:23:16 -0800 (PST) Received: from mail5.chester.ac.uk (mail5.chester.ac.uk [195.195.128.221]) by mx1.FreeBSD.org (Postfix) with SMTP id 72E9543D31 for ; Wed, 24 Mar 2004 01:23:15 -0800 (PST) (envelope-from h.blackman@chester.ac.uk) Received: (qmail 22247 invoked from network); 24 Mar 2004 09:23:14 -0000 Received: from opaccl19.chester.ac.uk (HELO web) (194.80.193.19) by mail5.chester.ac.uk with SMTP; 24 Mar 2004 09:23:14 -0000 Message-ID: <002701c41181$a4bbf010$13c150c2@chester.ac.uk> From: "Henry Blackman" To: Date: Wed, 24 Mar 2004 09:23:18 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: IPFW & NAT Help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Mar 2004 09:23:16 -0000 Hello Everyone. I really some help with my IPFW setup. I'm using FreeBSD 4.9 and IPFW (not 2). The background is I run a residential network for students on campus, where the FreeBSD box sits between their LAN, and the rest of College (and therefore the Internet). We are having terrible trouble with file sharing (amongst other things), so the decision has been made to block by default. We have a complicated setup however: we authenticate users by the use of a captive portal (with IPFW rules), once they are authenticated, a rule is added to IPFW. We NAT at the same time. We also have a transparent Squid proxy. You can imagine my pain. The public facing interface is em0 and private is em1 Here's the ruleset: 00050 0 0 divert 8668 ip from any to any via em0 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00301 0 0 deny tcp from any to any 25 00400 0 0 deny icmp from any to any Then for every authorised student a line like this (there are a hundred or so): 49389 0 0 skipto 64998 ip from 172.16.122.160 to any Then these rules for captive portal: 64993 0 0 fwd 172.16.120.1,8080 tcp from 172.16.120.0/22 to any 80,8080 64994 0 0 fwd 172.16.120.1,443 tcp from 172.16.120.0/22 to any 443 64995 0 0 allow tcp from 172.16.120.0/22 to 172.16.120.0/22 8080 64996 0 0 allow udp from 172.16.120.0/22 to any 53 64997 0 0 deny ip from 172.16.120.0/22 to any Then these for transparent proxy and everything else: 64998 0 0 allow tcp from 195.195.128.195 to any 64999 0 0 fwd 127.0.0.1,8082 log logamount 100 tcp from any to any 80 65000 0 0 allow ip from any to any 65535 0 0 deny ip from any to any The question is, how do I add a bunch of rules to allow only web and POP mail traffic. So I want the students to do web, and POP mail only... obviously I'll add more, but these two rules will get me started. TIA, Henry