Date: Mon, 26 Sep 2005 08:41:28 -0500 From: Hugo Osorio <osorio.hugo@gmail.com> To: Chuck Swiger <cswiger@mac.com> Cc: freebsd-ipfw@freebsd.org, ipfw@freebsd.org Subject: Re: mime contents thru ipfw Message-ID: <680ac847050926064125be4e0@mail.gmail.com> In-Reply-To: <43342E8E.6060004@mac.com> References: <680ac84705082407576dd2f6b4@mail.gmail.com> <20050825084039.GH659@obiwan.tataz.chchile.org> <680ac84705082507486347b67@mail.gmail.com> <680ac847050922171856ed2904@mail.gmail.com> <43334E81.9080707@mac.com> <680ac84705092309007d69b088@mail.gmail.com> <43342E8E.6060004@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I have seen that "open rule" is insecure, and i wouldn't like to use it... = i want to continue trying to find the closed port, with this policy... there must be something somewhere... so... i will continue bothering. sorry i am = a beginner, here are some conversations in the past that weren't submitted to the group. ------------------ Proxy is an cache server. If u dont need , not use. If u want to use proxy for caching web traffic and force this traffic throught proxy,u can d= o that with fwd option in ipfw example: ipfw fwd $ip_proxy,$port_proxy tcp from not me to any 80 in via $private_interface This not affect in any way functionality for mail aplication (that work in case of pop3 with 25 respectively 110 ports). If u acces mail via web, this work well with proxy. If still have problem, i'm sure is because configuration of proxy (think use squid). I this case u need some options to permit "connect" method. I dont remember now how look exactly. ---------------------- I have done this.. at the command line, ipfw add fwd 172.25.1.5 <http://172.25.1.5/>,80 tcp from not me to any 80 i= n via vr0 04200 fwd 172.25.1.5 <http://172.25.1.5/>,80 tcp from not me to any 80 in recv vr0 also ipfw add fwd 172.2X.X.X,80 tcp from 17X.XX.XX.0/24 to any 80 in via vr0 nothing happens.. i do see traffic, but very little.. this should refresh it ? i mean, this rule is active immediately? because i can not do attachments yet.. not even showing my message list in yahoo.. ( http://e1.f405.mail.yahoo.com/ym/ShowFolder?YY=3D29820&box=3DInbox&YN=3D1) Proxy is Proxy server 2.0 microsoft, I have unset the firewall, and i have plugged the router directly to the switch.. and all is fine, so i am almost sure the hassle is in the fw, thx --------------------------------------------- I have two proxies available, and in the machine where i have the fw there are routes created, for routing one proxy or another... 172.25.x.x or 172.24.x.x with the .24.x.x proxy dont have any hassle.. but i do with the 25.x.x >You have to redirect the whole HTTP traffic to the proxy, or nothing. >You can't decide on layer 7 content. what do you recommend me to do first? ---------------------------------------------- 2005/9/23, Chuck Swiger <cswiger@mac.com>: > > Hugo Osorio wrote: > > gracias, > > > > our (172.24.33.0 <http://172.24.33.0>; <http://172.24.33.0>) LAN goes to > internet through two > > proxies, the new proxy which is the one i am trying to set up, is in > another > > network we have set routes to that LAN, (172.25.1.0 <http://172.25.1.0>= < > http://172.25.1.0>) > > OK. > > > -is it inappropriate to put these address here? i hope not :s > > No. I was confused by the "<http://172.24.33.0>" strings, which someone > said > may be something to do with gmail.com <http://gmail.com>. > > > in order to be protected, we have set a firewall in this way: > > > > LAN(172.24.33.0 <http://172.24.33.0>; <http://172.24.33.0>) --> SWITCH > --> fw --> Router( > > 172.25.19.X) --> proxy(172.25.1.5 <http://172.25.1.5>; <http://172.25.1.= 5 > >) > > OK. You should start by testing access through the proxy server when > logged > onto your firewall box. If that doesn't work, debug your router or your > network routes. > > > i have the other conf (using another proxy, another network) without th= e > > string 'http://' and it works, and transfer everything. > > and besides, using the new proxy, without the 'http://' string, it show= s > > bytes activity in 'ipfw show', i mean i can enter sites. > > > > For using "open firewall ruleset" do you have any basic document? > > > > another hint or help, will be appreciated, thank you. > > Look at /etc/rc.firewall and the "open" ruleset there. > > See: > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.= html > > ...which i!=3Du=19ailable translated to other languages, also. > > -- > -Chuck > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?680ac847050926064125be4e0>