From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 9 13:01:00 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2FF510656D1 for ; Thu, 9 Sep 2010 13:01:00 +0000 (UTC) (envelope-from rigstars@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 4CA1F8FC20 for ; Thu, 9 Sep 2010 13:00:59 +0000 (UTC) Received: by wwb18 with SMTP id 18so1648392wwb.31 for ; Thu, 09 Sep 2010 06:00:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=TblE2MyhkRCAtjT2QDOmqaeVdE8+RWSjufb2ezYX+n0=; b=CQLPvWLqXpB867dMZhKCwvZxBqTQGFSVZ6jIJawka2F7Av//DD47DPGQMut1TRR55D 83tHu6HSKrdCnvGBbbtFzOwJxJdR0GBMp8uHaVm2vBxlK7VTotPH5FGPrsENq926400T iOBwjOJgSjErjANlNuB0gWMXVZ6AFGS1ZGd6E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=rk9Qo7khU/K8QrXzAkxeogZFP5DEQcbol9Qyi5foLU5S9s76efowBnqj//wQxNnc+z OZwmGNqvQB7z+YTXeeoG0tfDkusaJ0Fsc5ps7d3M8AujjY2DEhpzXXp5RmYuDrly5FPp K4K5O6tZO1d7VFafnfXpplqgdJoCzyNV4WLr4= MIME-Version: 1.0 Received: by 10.227.145.14 with SMTP id b14mr302837wbv.24.1284037259232; Thu, 09 Sep 2010 06:00:59 -0700 (PDT) Received: by 10.227.140.211 with HTTP; Thu, 9 Sep 2010 06:00:59 -0700 (PDT) Date: Thu, 9 Sep 2010 09:00:59 -0400 Message-ID: From: Tony To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Please convert the equivalent of these rules into IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2010 13:01:00 -0000 Can some please convert these iptable rules in IPFW #Allow Squid outbound access on port 8080 (Dansguardian) iptables -t nat -A OUTPUT -p tcp -m tcp --dport 8080 -m owner --uid-owner squid -j ACCEPT # Allow Squid outbound access on port 80 iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT # Don't redirect root on port 80 iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner root -j ACCEPT # Don't redirect root on port 3128 (Squid) iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner root -j ACCEPT # Redirect all requests on port 80 to 8080 (Dansguardian) iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 # Accept requests on port 3128 from nobody (Dansguardian user) iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner nobody -j ACCEPT # Redirect all other requests on port 3128 to 8080 to prevent users from getting around Dansguardian by going directly to Squid iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8080 # Delete the NOTRACK rule that SuSEfirewall2 adds to the raw table of the OUTPUT chain iptables -t raw -D OUTPUT -o lo -j NOTRACK