From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 9 13:49:13 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1EC810656B7 for ; Thu, 9 Sep 2010 13:49:13 +0000 (UTC) (envelope-from rigstars@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 574A08FC16 for ; Thu, 9 Sep 2010 13:49:12 +0000 (UTC) Received: by wyb33 with SMTP id 33so1686043wyb.13 for ; Thu, 09 Sep 2010 06:49:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=RRp6DFCE1Swueo62r/lrWWUHt3lbWPJcQky+T57/kqo=; b=rqRS/HdKNjLWOfliyoSYGObXX1uDWJ9tuM6fdiQ6eFyADV7eoH+PHQvNl+75g8X+kj PmBGw+cNOde8iGaZ7DDDSPcsHlZSM28BEqzhyrk9tB3qmNRUb1K/YmxqwJ7Aqs99ul+v q6VvAxgXWrn1U+6C4xE36jQuml8U21JXFRnFU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=C2Jlfi9h7lx6wt5Fq91jWn6ipamxORMXEfi+swOJkFaV6erfcGdTscL0v1P/4P8cKc no+nDWFcowG602C4k7QHZdaXQ29LKz4aH08ZmFTcaPuwXB70s0h3sYHPOX753EKzS8/3 XTc2a5U+Ubpb7hB3xcBX7WtyYkRpygxkuyBx0= MIME-Version: 1.0 Received: by 10.227.68.145 with SMTP id v17mr181986wbi.159.1284040152186; Thu, 09 Sep 2010 06:49:12 -0700 (PDT) Received: by 10.227.140.211 with HTTP; Thu, 9 Sep 2010 06:49:12 -0700 (PDT) In-Reply-To: References: Date: Thu, 9 Sep 2010 09:49:12 -0400 Message-ID: From: Tony To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Please convert the equivalent of these rules into IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2010 13:49:13 -0000 I tried converting those iptables rules myself. How do they look? #Allow Squid outbound access on port 8883 (Dansguardian) ipfw add allow tcp from 192.168.0.154 to any dst-port 8883 out uid squid #Allow Squid outbound access on port 80 ipfw add allow tcp from 192.168.0.154 to any dst-port 80 out uid squid #Redirect all requests on port 80 to 8883 (Dansguardian) ipfw add fwd 127.0.0.1,8883 tcp from not me to any dst-port 80 # Accept requests on port 3333 from nobody (Dansguardian user) ipfw add allow tcp from 192.168.0.154 to any dst-port 3333 out uid nobody //this is to allow clients on same machine to go from browser->dansguardian->squid->internet //both services are running on the local loopback ip address On Thu, Sep 9, 2010 at 9:00 AM, Tony wrote: > Can some please convert these iptable rules in IPFW > > #Allow Squid outbound access on port 8080 (Dansguardian) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 8080 -m owner > --uid-owner squid -j ACCEPT > > # Allow Squid outbound access on port 80 > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner > squid -j ACCEPT > > # Don't redirect root on port 80 > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner > root -j ACCEPT > > # Don't redirect root on port 3128 (Squid) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner > --uid-owner root -j ACCEPT > > # Redirect all requests on port 80 to 8080 (Dansguardian) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT > --to-ports 8080 > > # Accept requests on port 3128 from nobody (Dansguardian user) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner > --uid-owner nobody -j ACCEPT > > # Redirect all other requests on port 3128 to 8080 to prevent users from > getting around Dansguardian by going directly to Squid > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT > --to-ports 8080 > > # Delete the NOTRACK rule that SuSEfirewall2 adds to the raw table of > the OUTPUT chain > iptables -t raw -D OUTPUT -o lo -j NOTRACK > >