Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 Mar 2004 10:18:32 -0000
From:      "Henry Blackman" <h.blackman@chester.ac.uk>
To:        <freebsd-ipfw@freebsd.org>
Subject:   Captive Portal Help
Message-ID:  <009e01c405bf$e04e5960$13c150c2@chester.ac.uk>

next in thread | raw e-mail | index | archive | help
Hello.

I run a residential network at Chester College for students who live on
campus.  We use FreeBSD 4.9 to do NAT to manage the network and the
authentication with captive portal type technologies.

My problem is, is that currently the "firewall" is open, by default, so
we're getting lots of MPAA notices because our students are sharing with
Kazaa(!).  What I want to do is close it to allow only web, MSN, AIM, RTSP
and a few other things so we can really clamp down on their activities.

The problem is however is that I have rules that work for our captive
portal, but I'm clueless at how to get them to disallow all other traffic.
I've included them here, but does anyone have any idea how to change them to
disallow everything other than known ports?

00050  divert 8668 ip from any to any via em0
00100  allow ip from any to any via lo0
00200  deny ip from any to 127.0.0.0/8
00300  deny ip from 127.0.0.0/8 to any
00398  allow icmp from any to 194.80.193.232
00399  allow icmp from 194.80.193.232 to any
00400  deny icmp from any to any

Every student (that is authorised) has an entry like this:
49998  skipto 64998 ip from 172.16.122.187 to any

Then these lines to deal with forcing webtraffic through dansguardian (and
squid):
64993  fwd 172.16.120.1,8080 tcp from 172.16.120.0/22 to any 80,8080
64994  fwd 172.16.120.1,443 tcp from 172.16.120.0/22 to any 443
64995  allow tcp from 172.16.120.0/22 to 172.16.120.0/22 8080
64996  allow udp from 172.16.120.0/22 to any 53
64997  deny ip from 172.16.120.0/22 to any
64998  allow tcp from 195.195.128.195 to any
64999  fwd 127.0.0.1,8082 log logamount 100 tcp from any to any 80
65000  allow ip from any to any
65535  deny ip from any to any

Does anyone know how I might change the rules to, instead of allowing IP
from any to any, to deny ip from any to any, excepting the rules I put in
for ports for the above services.  I've tried deleting 65000 and adding
specific rules with appropriate ports, but then nothing works.

TIA,
Henry



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?009e01c405bf$e04e5960$13c150c2>