From owner-freebsd-questions Sun Jan 27 22:28:27 2002 Delivered-To: freebsd-questions@freebsd.org Received: from out4.mx.nwbl.wi.voyager.net (out4.mx.nwbl.wi.voyager.net [169.207.1.77]) by hub.freebsd.org (Postfix) with ESMTP id 5D70337B400 for ; Sun, 27 Jan 2002 22:28:23 -0800 (PST) Received: from shell.core.com (IDENT:2525@shell.voyager.net [169.207.1.89]) by out4.mx.nwbl.wi.voyager.net (8.11.1/8.11.4/1.7) with ESMTP id g0S6SM567849 for ; Mon, 28 Jan 2002 00:28:22 -0600 (CST) Received: (from dpoland@localhost) by shell.core.com (8.11.6/8.11.6/1.3) id g0S6SLK15541 for questions@freebsd.org; Mon, 28 Jan 2002 00:28:22 -0600 (CST) Date: Mon, 28 Jan 2002 00:28:21 -0600 From: Doug Poland To: questions@freebsd.org Subject: optimize ifpw rules Message-ID: <20020128002821.A14917@polands.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm fairly new with ipfw rules and was wondering if there is a better way to achieve my goal. My network is as follows: 192.168.1.1: gateway/natd (dc0 inside iface, ed0 outside iface) 192.168.1.10: squidGuard proxy and apache http server 192.168.1.100-200: user PCs. What I want is the gateway to accept http requests from the proxy only on the internal network. This will prevent users from circumventing the content filter from SquidGuard. In addition, I want the outside world to see through my firewall to the http sever on 192.168.1.10. So I've got the following configuration working but was wondering if there's a better way to write the rules. i.e., fw# cat /etc/natd.conf dynamic yes use_sockets yes same_ports yes log yes redirect_port tcp 192.168.1.10:80 80 00510 allow tcp from 192.168.1.10 to any 80 via dc0 00520 allow udp from 192.168.1.10 to any 80 via dc0 00530 allow tcp from any to 192.168.1.10 80 via ed0 00540 allow udp from any to 192.168.1.10 80 via ed0 00550 allow tcp from any to 192.168.1.10 80 via dc0 00560 allow udp from any to 192.168.1.10 80 via dc0 00570 deny tcp from any to any 80 via dc0 00580 deny udp from any to any 80 via dc0 -- Regards, Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message