Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Nov 2009 22:54:41 -0600
From:      "Rakort" <rakort@charter.net>
To:        <freebsd-ipfw@freebsd.org>
Subject:   dansguardian, ipfw, nat question
Message-ID:  <000501ca6742$1874a300$495de900$@net>

next in thread | raw e-mail | index | archive | help
Hello all

 

Trying to configure my gateway box running FBSD 7.2 to provide content
filtering services for some or all clients on a my network.

 

The box is configured with natd and running IPFW.  I like this combination
and have been using it successfully for years.  Not real interested to
changing to squid or pf or whatever else may be known (or better documented)
to work with dansguardian.

 

Dansguardian seems to be the preferred option for content filtering as near
as I can tell.  There is lots of documentation out there for configuring
dans with squid.  I can't find much of anything for IPFW / NAT

 

So, the question is, can this be done?  I've seen one or two suggestions out
there giving a brief description of how to use the fwd command to send
packets to dans but unfortunately I am not smart enough to implement that
here.

 

Any help, thoughts, or references would be appreciated

 

thanks

Brian

 

here is a boiled down set of rules that I use:

 

#!/bin/sh

 

cmd="ipfw add"

skip="skipto 700"

oif=dc0

iif=re0

log="log logamount 1000"

ks="keep-state"

 

ipfw -f flush

 

$cmd 098 allow all from any to any via $iif                             #
Allow LAN traffic

$cmd 099 allow all from any to any via lo0                             #
Allow loopback traffic

 

$cmd 105 divert natd all from any to any in via $oif           # check if
packet is inbound and nat address if it is

$cmd 110 check-state
# Allow packet if it has previous been added to the "dynamic" rules table

 

### Authorized icmp / udp outbound packets

 $cmd 200 $skip      icmp from any to any             out via $oif       $ks
# ping

 $cmd 201 $skip      udp  from any to any 123         out via $oif       $ks
# time

 $cmd 203 $skip $log udp  from any to xx.xxx.xx.1 67  out via $oif       $ks
# DHCP

 $cmd 205 $skip      udp  from any to any 53          out via $oif       $ks
# DNS

 

### Authorized tcp outbound packets

 $cmd 301 $skip      tcp from any to any 25          out via $oif setup $ks
# mail

 $cmd 303 $skip $log tcp from any to any 43          out via $oif setup $ks
# whois

 $cmd 305 $skip      tcp from any to any 80          out via $oif setup $ks
# http

 $cmd 306 $skip      tcp from any to any 110         out via $oif setup $ks
# mail

 $cmd 307 $skip      tcp from any to any 119         out via $oif setup $ks
# USENET

 $cmd 308 $skip      tcp from any to any 443         out via $oif setup $ks
# Secure http

 $cmd 310 $skip $log tcp from any to any 23          out via $oif setup $ks
# telnet

 

### Everything else outbound is dropped and logged

$cmd 351 deny log logamount 10000 all from any to any out via $oif
# everything else

 

### Allow these incoming connections

 $cmd 360 allow $log udp from xx.xxx.xxx.x   to any 68    in via $oif $ks
# DHCP

 $cmd 363 allow      tcp from any            to me  80    in via $oif setup
$ks                                       # Incoming http connections

 

### May Consider Allowing these incoming connections

 $cmd 396 allow $log tcp  from any        to any 113 in via $oif       limit
src-addr 4                      # Ident packets.

 $cmd 398 allow $log icmp from any        to any icmptype 3,11 in via $oif
limit src-addr 2    # Allow out & in console traceroot command

 

### deny various incoming packets

 $cmd 401 deny $log all from 192.168.0.0/16  to any in via $oif  # RFC 1918
private IP

 $cmd 402 deny $log all from 172.16.0.0/12   to any in via $oif  # RFC 1918
private IP

 $cmd 403 deny $log all from 10.0.0.0/8      to any in via $oif  # RFC 1918
private IP

 $cmd 404 deny $log all from 127.0.0.0/8     to any in via $oif  # loopback

 $cmd 405 deny $log all from 0.0.0.0/8       to any in via $oif  # loopback

 $cmd 406 deny $log all from 169.254.0.0/16  to any in via $oif  # DHCP
auto-config

 $cmd 407 deny $log all from 192.0.2.0/24    to any in via $oif  # reserved
for docs

 $cmd 408 deny $log all from 204.152.64.0/23 to any in via $oif  # Sun
cluster

 $cmd 409 deny $log all from 224.0.0.0/3     to any in via $oif  # Class D &
E multicast

 

### deny various incoming packets

 $cmd 448 reset $log tcp  from any to me  113 in via $oif limit src-addr 4 #
This sends a RESET to all ident packets.

 $cmd 449 deny  $log tcp  from any to any 113 in via $oif                 #
Deny ident

 $cmd 450 deny  $log icmp from any to any icmptype 5  in via $oif
# Stop & log external redirect requests.

 $cmd 451 deny  $log icmp from any to any in via $oif                     #
Deny pings from the world

 $cmd 452 deny  $log all  from any to any in frag                         #
Fragmented Packets

 $cmd 453 deny  $log all  from any to any 137,138,139,81 in via $oif      #
Deny all Netbios service & MS/Windows hosts2 name server

 $cmd 454 deny  $log all  from any to any frag in via $oif                #
Deny any late arriving packets

 $cmd 455 deny  $log tcp  from any to any established in via $oif         #
Deny ACK packets that did not match the dynamic rule table

 $cmd 456 deny  $log all  from me  to me  in via $oif
# Stop & log spoofing Attack attempts.

 $cmd 457 deny       all  from any to any 1024-1030 in via $oif           #
MS Messenger spam

 

### Reject & Log all the rest of the incoming connections

 $cmd 600 deny log logamount 10000 all from any to any in via $oif

 

### deny and log all packets that fell through to see what they are

### Nothing should ever get to this rule!!!

 $cmd 601 deny log logamount 10000 all from any to any

 

### This is skipto location for outbound stateful rules

 $cmd 700 divert natd all from any to any out via $oif

 $cmd 800 allow all from any to any

 

 

 

 




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000501ca6742$1874a300$495de900$>