From owner-freebsd-questions@FreeBSD.ORG Tue Sep 14 04:52:20 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41EAF16A4CE for ; Tue, 14 Sep 2004 04:52:20 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8BD743D2D for ; Tue, 14 Sep 2004 04:52:19 +0000 (GMT) (envelope-from subhro.kar@gmail.com) Received: by mproxy.gmail.com with SMTP id 80so137407rnk for ; Mon, 13 Sep 2004 21:52:16 -0700 (PDT) Received: by 10.38.179.63 with SMTP id b63mr594877rnf; Mon, 13 Sep 2004 21:52:16 -0700 (PDT) Received: by 10.38.206.15 with HTTP; Mon, 13 Sep 2004 21:52:16 -0700 (PDT) Message-ID: Date: Tue, 14 Sep 2004 10:22:16 +0530 From: Subhro To: JP In-Reply-To: <20040913232615.26445.qmail@web40102.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20040913232615.26445.qmail@web40102.mail.yahoo.com> cc: freebsd-questions@freebsd.org Subject: Re: Configuring IPFW (Firewall) and Proxy/Nylon, Help Please X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Subhro List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2004 04:52:20 -0000 Hello, On Mon, 13 Sep 2004 16:26:15 -0700 (PDT), JP wrote: > Hello There, > > I currently am a running 5.2.1-Release which is > configured as a gateway with kernel firewall support. > I have installed Squid (Proxy) and Nylon (SOCKS) which > seem to be configured fine. However, I need help in > getting all http/https traffic to only route to the > proxy (Port 3128) and all other traffic to point to > nylon (Port 1080). This way the proxy and socks > server cannot be circumvented. Could someone please > suggest some tips or a website? I am using the > standard rc.firewall configuration. > http runs on port 80 by default and https on port 443 so you can divert incoming traffic on port 80 and 443 on port 3128. And do not forget to save the states for the incoming traffic or the reply traffic wont get through. For the later section you can set up a default divert for everthing to port 1080. > Thanks! You are welcome > > Below is my rc.conf file: > > --------------- > > gateway_enable="YES" > firewall_enable="YES" > firewall_type="OPEN" <<---you need to remove this and make this point to your firewall ruleset file > natd_enable="YES" <<---You need to comment this out because if natd is running the clients can anyway get through the NAT and avoid proxy. > natd_interface="ed0" > #natd_flags="-f /etc/natd.conf" > hostname="******" > ifconfig_ed0="DHCP" > inetd_enable="YES" > keyrate="fast" > sshd_enable="YES" > usbd_enable="YES" > ifconfig_dc0="inet 192.168.1.254 netmask > 255.255.255.0" > defaultrouter="192.168.1.254" > Regards S. -- Subhro Sankha Kar School of Information Technology Block AQ-13/1 Sector V ZIP 700091 India