From owner-freebsd-questions@FreeBSD.ORG Mon Nov 8 00:15:58 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53E5C16A4CE for ; Mon, 8 Nov 2004 00:15:58 +0000 (GMT) Received: from gozer.look.ca (epsilon1.look.ca [207.136.80.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id A5F3643D39 for ; Mon, 8 Nov 2004 00:15:57 +0000 (GMT) (envelope-from david+dated+1100304935.5252ad@skytrackercanada.com) Received: from [209.161.205.12] (helo=3s1.com) by gozer.look.ca with esmtp (Exim 4.20) id 1CQxCL-0000g4-1c for questions@freebsd.org; Mon, 08 Nov 2004 00:15:55 +0000 Received: (from root@localhost) by 3s1.com (8.12.8p1/8.12.8) id iA80FfPO075793 for questions@freebsd.org; Sun, 7 Nov 2004 19:15:41 -0500 (EST) (envelope-from david+dated+1100304935.5252ad@skytrackercanada.com) Received: from 3s1.com (localhost [127.0.0.1]) by 3s1.com (8.12.8p1/8.9.3) with ESMTP id iA80Fa0i075751 for ; Sun, 7 Nov 2004 19:15:37 -0500 (EST) Received: (from david@localhost) by 3s1.com (8.12.8p1/8.12.8/Submit) id iA80FZaO075722 for questions@freebsd.org; Sun, 7 Nov 2004 19:15:35 -0500 (EST) (envelope-from david+dated+1100304935.5252ad@skytrackercanada.com) X-Authentication-Warning: 3s1.com: david set sender to david+dated+1100304935.5252ad@skytrackercanada.com using -f Received: by 3s1.com (tmda-sendmail, from uid 1000); Sun, 07 Nov 2004 19:15:32 -0500 (EST) Date: Sun, 7 Nov 2004 19:15:21 -0500 To: Ara , questions@freebsd.org Message-ID: <20041108001519.GB73403@skytrackercanada.com> References: <20041107185705.GA6526@skytrackercanada.com> <200411071919.iA7JJN0i011013@3s1.com> Mime-Version: 1.0 Content-Disposition: inline In-Reply-To: <200411071919.iA7JJN0i011013@3s1.com> User-Agent: Mutt/1.4.2.1i X-Delivery-Agent: TMDA/1.0.2 (Bold Forbes) From: David Banning X-scanner: scanned by Inflex 1.0.12.3 - (http://pldaniels.com/inflex/) X-SA-Exim-Mail-From: david+dated+1100304935.5252ad@skytrackercanada.com Content-Type: text/plain; charset=us-ascii X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on omega.look.ca X-Spam-Level: X-Spam-Status: No, hits=0.0 required=9.0 tests=none autolearn=no version=2.63 X-SA-Exim-Version: 3.1 (built Tue Feb 24 05:09:27 GMT 2004) X-SA-Exim-Scanned: Yes Subject: Re: ipfw allowing browser only X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 00:15:58 -0000 > Hello > You only need tcp 80 on regular http and 443 for ssl, https > I don't get what exactly are you trying to do? Are you publishing a web > server to external clients behind a firewall? Any diagram text would be nice This is simply to block all on the network from using any port except 80. I want to block Messenger. If it starts running on port 80 then I am told I can block it via squid/dansguardian. Internet <> router server client winbox (192.168.1.6) > > Internet <> router (192.168.1.6) <> webserver(192.168.1.1) > Is this right? Yes. > > > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of David Banning > Sent: November 7, 2004 1:57 PM > To: questions@freebsd.org > Subject: ipfw allowing browser only > > I am trying to filter out all traffic except browser traffic. > So I tried > > 01000 allow tcp from any to 192.168.1.6 80 > 01100 allow udp from any to 192.168.1.6 80 > 01200 deny ip from any to 192.168.1.6 > 65535 allow ip from any to any > > But this does not allow browser traffic. > > I have my browser traffic redirected via ipnat - ipnat rules are; > > rdr dc0 127.0.0.1/0 port 80 -> 192.168.1.1 port 8180 tcp > > I don't know what comes first, the redirect or the firewall, so maybe > I should be allowing traffic to 8180? > > My host is 192.168.1.1 and the win browser is at 192.168.1.6 > > Any help here would be appreciated. > > -- > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > --