Date: Thu, 9 Sep 2010 09:49:12 -0400 From: Tony <rigstars@gmail.com> To: freebsd-ipfw@freebsd.org Subject: Re: Please convert the equivalent of these rules into IPFW Message-ID: <AANLkTiksKsDjmT%2B%2B9awHcJ7zEYeLCH46DXnoVDVf%2BJue@mail.gmail.com> In-Reply-To: <AANLkTik7cUoYC3fB-a3jKZbpf64ozva3ECusJr5sNxLK@mail.gmail.com> References: <AANLkTik7cUoYC3fB-a3jKZbpf64ozva3ECusJr5sNxLK@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I tried converting those iptables rules myself. How do they look? #Allow Squid outbound access on port 8883 (Dansguardian) ipfw add allow tcp from 192.168.0.154 to any dst-port 8883 out uid squid #Allow Squid outbound access on port 80 ipfw add allow tcp from 192.168.0.154 to any dst-port 80 out uid squid #Redirect all requests on port 80 to 8883 (Dansguardian) ipfw add fwd 127.0.0.1,8883 tcp from not me to any dst-port 80 # Accept requests on port 3333 from nobody (Dansguardian user) ipfw add allow tcp from 192.168.0.154 to any dst-port 3333 out uid nobody //this is to allow clients on same machine to go from browser->dansguardian->squid->internet //both services are running on the local loopback ip address On Thu, Sep 9, 2010 at 9:00 AM, Tony <rigstars@gmail.com> wrote: > Can some please convert these iptable rules in IPFW > > #Allow Squid outbound access on port 8080 (Dansguardian) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 8080 -m owner > --uid-owner squid -j ACCEPT > > # Allow Squid outbound access on port 80 > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner > squid -j ACCEPT > > # Don't redirect root on port 80 > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner > root -j ACCEPT > > # Don't redirect root on port 3128 (Squid) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner > --uid-owner root -j ACCEPT > > # Redirect all requests on port 80 to 8080 (Dansguardian) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT > --to-ports 8080 > > # Accept requests on port 3128 from nobody (Dansguardian user) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner > --uid-owner nobody -j ACCEPT > > # Redirect all other requests on port 3128 to 8080 to prevent users from > getting around Dansguardian by going directly to Squid > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT > --to-ports 8080 > > # Delete the NOTRACK rule that SuSEfirewall2 adds to the raw table of > the OUTPUT chain > iptables -t raw -D OUTPUT -o lo -j NOTRACK > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTiksKsDjmT%2B%2B9awHcJ7zEYeLCH46DXnoVDVf%2BJue>