From owner-freebsd-questions Thu Apr 20 12: 1:10 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mail.commlitho.com (medusa.commlitho.com [207.254.73.4]) by hub.freebsd.org (Postfix) with SMTP id 11CBB37B58E for ; Thu, 20 Apr 2000 12:01:07 -0700 (PDT) (envelope-from patb@commlitho.com) Received: from pc11.commlitho.com [207.254.73.2] by mail.commlitho.com with ESMTP (SMTPD32-4.07) id A3F247960048; Thu, 20 Apr 2000 12:01:06 MST Message-Id: <4.3.1.2.20000420114823.00ae9d50@commlitho.com> X-Sender: patb@commlitho.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Thu, 20 Apr 2000 12:01:05 -0700 To: questions@FreeBSD.org From: Patrick Burm Subject: natd/ipfw and outgoing restrictions Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have done my best to see if this has been asked/answered before. If have a vanilla natd/ipfw setup where I'm hiding a lan using private ip's and using a freebsd server running natd as a gateway to the net for the lan. I wish to restrict outgoing traffic to only allow certain hosts to surf and what not. my firewall is set to "open" and the rules end up looking like this: 00100 divert 8668 ip from any to any via xl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 65000 allow ip from any to any 65535 deny ip from any to any First quesiton is do I put my restricting rules before the divert? something like 00050 allow tcp from 192.168.0.10/32 to any 80 I'm thinking if I want to allow "joe" to surf I allow tcp to port 80 from joe's ip, but his ip is private. I understand (maybe incorrectly) that nat reinjects the packet at rule 200 in this example but it is now sourced with the public IP. Second how do you know what interfaces and directions the rules are bound to? As it practically set itself up and worked on the first try, I don't know exactly what is going on. Is there any examples of setups like I want to do, or a better way to do it. Is there some other "proxy" daemon that might work better for me? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message