Date: Sun, 30 Jan 2000 12:22:19 -0800 From: Heath Chiavettone <heathc@pacbell.net> To: "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org> Subject: FreeBSD firewall and https Message-ID: <01BF6B1C.A7D873A0.heathc@pacbell.net>
index | next in thread | raw e-mail
A friend of mine just set up a freeBSD machine running FreeBSD
2.2.8-RELEASE for me as a firewall/DNS/SMTP/POP/DHCP machine for my little
in home network. Using a windows 98 machine behind the firewall I'm
having no problems accessing any website UNTIL I go to one via https.
Then nothing seems to work right (usually I timeout when logging in).
Its really frustrating because when I connect the machine directly to the
web, I can log on to these sites no problem. I'm convinced my firewall is
causing my problems, and I'm fairly sure it can be fixed simple with a new
rule (or two) for the firewall. Unfortunately my friend is on a 3 week
vacation and can't help me. Any help/suggestions would be appreciated.
TIA
Heath
Here is the rules extracted from rc.firewall:
if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
$fwcmd add 100 divert natd all from any to any via
${natd_interface}
fi
...
$fwcmd add 150 pass all from any to any via lo0
#$fwcmd add 200 deny all from any to 127.0.0.0/8
...
# set these to your outside interface network and netmask and ip
oif="ed0"
onet="216.101.252.0"
omask="255.255.255.0"
oip="216.101.252.???"
# set these to your inside interface network and netmask and ip
iif="ed1"
inet="192.168.10.0"
imask="255.255.255.0"
iip="192.168.10.1"
# Stop spoofing
$fwcmd add 300 deny log all from ${inet}:${imask} to any in via ${oif}
# Begin basic rules
$fwcmd add 500 pass all from ${inet}:${imask} to any via ${iif}
$fwcmd add 550 pass all from ${oip} to any via ${oif}
#allow incoming DNS
$fwcmd add 600 pass udp from any 53 to ${inet}:${imask}
$fwcmd add 620 pass udp from any 53 to ${oip}
$fwcmd add 630 pass udp from any to ${oip} 53
#allow DHCP internally
$fwcmd add 650 pass udp from any 68 to any via ${iif}
# Allow TCP through if setup succeeded
$fwcmd add 700 pass tcp from any to any established
# Allow setup of incoming email
$fwcmd add 1400 pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
$fwcmd add 1500 pass tcp from any to ${oip} 53 setup
# Allow access to our WWW
$fwcmd add 1600 pass tcp from any to ${oip} 80 setup
# Allow access to our WWW and https
$fwcmd add 1650 pass tcp from any to ${oip} 443 setup
# Reject&Log all setup of incoming connections from the outside
$fwcmd add 1700 deny log tcp from any to any in via ${oif} setup
$fwcmd add 65000 deny log all from any to any
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01BF6B1C.A7D873A0.heathc>