From owner-freebsd-ipfw@FreeBSD.ORG Sat Mar 27 20:15:12 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D859216A4CE for ; Sat, 27 Mar 2004 20:15:12 -0800 (PST) Received: from ns1.valuedj.com (adsl-216-100-130-21.dsl.snfc21.pacbell.net [216.100.130.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E43B43D2D for ; Sat, 27 Mar 2004 20:15:12 -0800 (PST) (envelope-from whizkid@ValueDJ.com) Received: by ns1.valuedj.com (Postfix, from userid 80) id 3F5C460F0; Sat, 27 Mar 2004 20:20:27 -0800 (PST) Received: from 216.100.130.17 (SquirrelMail authenticated user whizkid) by www.ValueDJ.com with HTTP; Sat, 27 Mar 2004 20:20:27 -0800 (PST) Message-ID: <1088.216.100.130.17.1080447627.squirrel@www.ValueDJ.com> Date: Sat, 27 Mar 2004 20:20:27 -0800 (PST) From: whizkid@ValueDJ.com To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: FreeBSD Tansparent Proxy with ipfw & natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Mar 2004 04:15:13 -0000 I have seen lots of pages on google on how to setup Squid as a Transparent Proxy server on FreeBSD. However most of these refer to 4.9 stable, using IPTables. I am currently using natd and ipfw. Here are my Firewall rules rc.firewall.rules proxy# cat rc.firewall.rules # be quiet and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow ip from any to any via lo0 add 00110 deny ip from any to 127.0.0.0/8 add 00120 deny ip from any to any not verrevpath in add 00301 deny ip from 10.0.0.0/8 to any in via fxp0 add 00302 deny ip from 172.16.0.0/12 to any in via fxp0 add 00303 deny ip from 192.168.0.0/16 to any in via fxp0 # check if incoming packets belong to a natted session, allow through if yes add 01000 divert natd ip from any to me in via fxp0 add 01001 check-state # allow some traffic from the local net to the router # SSH add 04000 allow tcp from any to me dst-port 22 setup keep-state # ICMP add 04001 allow icmp from 192.168.1.0/24 to me in via xl0 # NTP add 04002 allow tcp from 192.168.1.0/24 to me dst-port 123 in via xl0 setup keep-state add 04003 allow udp from 192.168.1.0/24 to me dst-port 123 in via xl0 keep-state # DNS add 04006 allow udp from 192.168.1.0/24 to me dst-port 53 in via xl0 # drop everything else add 04009 deny ip from 192.168.1.0/24 to me # pass outgoing packets (to be natted) on to a special NAT rule add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via xl0 keep-state # allow all outgoing traffic from the router (maybe you should be more restrictive) add 05010 allow ip from me to any out keep-state # drop everything that has come so far. This means it doesn't belong to an # established connection, don't log the most noisy scans. add 59998 deny icmp from any to me add 59999 deny ip from any to me dst-port 135,137-139,445,4665 add 60000 deny log tcp from any to any established add 60000 deny log ip from any to any # this is the NAT rule. Only outgoing packets from the local net will come here. # First, nat them, then pass them on (again, you may choose to be more restrictive) add 61000 divert natd ip from 192.168.1.0/24 to any out via fxp0 add 61001 allow ip from any to any natd.conf proxy# cat natd.conf unregistered_only interface fxp0 use_sockets dynamic # dyamically open fw for ftp, irc punch_fw 2000:50 proxy# uname -a FreeBSD proxy.valuedj.com 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0: Fri Mar 26 19:14:17 PST 2004 whizkid@proxy.valuedj.com:/usr/obj/usr/src/sys/MYKERNEL i386 how would I set it so all incoming packets from xl0 would get redirected to port 8080 for the proxy server. I want to setup DansGuardian for content filtering and I don't want the people who will be using my network to find a way around disabling the Proxy in the browser. Anyone have any ideas? Thanks for your help