Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 07 Jan 2004 17:34:43 +0000
From:      Ben Quick <general@benquick.f9.co.uk>
To:        freebsd-questions@freebsd.org
Subject:   IPFW confusion
Message-ID:  <3FFC4333.8060807@benquick.f9.co.uk>

next in thread | raw e-mail | index | archive | help
Hello all,
 I've been hunting around for information on IPFW, and how to set up the 
rules I require. I found a tutorial that seemed to fit my needs: 
http://www.mostgraveconcern.com/freebsd/ipfw.html

However, I can't get the config to work. I've commented out all the deny 
rules. In this instance, I can browse the web via SQUID that's installed 
on the IPFW box. I can't browse the web directly, though. That is the 
only external access I get. I can't ping any sites, DNS lookups fail 
(I've set the DNS servers on the client workstation to be that my ISP's. 
I also tried setting it to look at the IPFW box first, with no luck)

Can anyone offer help on this one? I'm getting stuck in a muddle of 
mis-understanding

My setup is as follows

Internal LAN is 192.168.0.x
IPFW machine has 2 NIC's:
rl0: 192.168.0.10
rl1: 172.16.200.10
rl1 connects directly to my DSL router (D-Link 504) which has an 
internal IP of 172.16.200.1 along with it's public IP on the DSL port

The ruleset I'd like is as follows

For client IP's of 192.168.0.1 - 192.168.0.20 allow the following
HTTP \ HTTPS - But not directly, force them to use SQUID (Listening on 
port 8080, and using squidGuard for content filtering)
POP3 - But, only so far as pop.myisp.com
IMAP - But, only so far as imap.myisp.com
SMTP - But, only so far as smtp.myisp.com
DNS lookups - But, only with ns1.myisp.com and ns2.myisp.com
NNTP - But, only so far as news.myisp.com
FTP - To anywhere

For client IP's of 192.168.0.21 - 192.168.0.254 no access to anything 
external to the 192.168.0.x network should be granted

I'd like the IPFW box and 192.168.0.1 to be able to SSH out to anywhere.

I'd like to allow SSH inbound from a specific IP to be directed at the 
IPFW box (The port forwarding can be done with the DSL router) - SSH 
isn't currently listening on that interface, I'll get to that later :)

Does this sound like a reasonable ruleset? Is anyone willing to help me 
generate it?

Thanks
Ben



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FFC4333.8060807>