Date: Mon, 28 Jan 2002 00:28:21 -0600 From: Doug Poland <doug@polands.org> To: questions@freebsd.org Subject: optimize ifpw rules Message-ID: <20020128002821.A14917@polands.org>
next in thread | raw e-mail | index | archive | help
I'm fairly new with ipfw rules and was wondering if there is a better way to achieve my goal. My network is as follows: 192.168.1.1: gateway/natd (dc0 inside iface, ed0 outside iface) 192.168.1.10: squidGuard proxy and apache http server 192.168.1.100-200: user PCs. What I want is the gateway to accept http requests from the proxy only on the internal network. This will prevent users from circumventing the content filter from SquidGuard. In addition, I want the outside world to see through my firewall to the http sever on 192.168.1.10. So I've got the following configuration working but was wondering if there's a <b>better</b> way to write the rules. i.e., fw# cat /etc/natd.conf dynamic yes use_sockets yes same_ports yes log yes redirect_port tcp 192.168.1.10:80 80 00510 allow tcp from 192.168.1.10 to any 80 via dc0 00520 allow udp from 192.168.1.10 to any 80 via dc0 00530 allow tcp from any to 192.168.1.10 80 via ed0 00540 allow udp from any to 192.168.1.10 80 via ed0 00550 allow tcp from any to 192.168.1.10 80 via dc0 00560 allow udp from any to 192.168.1.10 80 via dc0 00570 deny tcp from any to any 80 via dc0 00580 deny udp from any to any 80 via dc0 -- Regards, Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020128002821.A14917>