From owner-freebsd-questions Sun Jan 30 12:22:53 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mta1.snfc21.pbi.net (mta1.snfc21.pbi.net [206.13.28.122]) by hub.freebsd.org (Postfix) with ESMTP id BEE8214DD2 for ; Sun, 30 Jan 2000 12:22:50 -0800 (PST) (envelope-from heathc@pacbell.net) Received: from spike ([216.101.252.152]) by mta1.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with SMTP id <0FP600DJD0KRXG@mta1.snfc21.pbi.net> for freebsd-questions@freebsd.org; Sun, 30 Jan 2000 12:22:03 -0800 (PST) Received: by localhost with Microsoft MAPI; Sun, 30 Jan 2000 12:22:20 -0800 Date: Sun, 30 Jan 2000 12:22:19 -0800 From: Heath Chiavettone Subject: FreeBSD firewall and https To: "'freebsd-questions@freebsd.org'" Message-id: <01BF6B1C.A7D873A0.heathc@pacbell.net> MIME-version: 1.0 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG A friend of mine just set up a freeBSD machine running FreeBSD 2.2.8-RELEASE for me as a firewall/DNS/SMTP/POP/DHCP machine for my little in home network. Using a windows 98 machine behind the firewall I'm having no problems accessing any website UNTIL I go to one via https. Then nothing seems to work right (usually I timeout when logging in). Its really frustrating because when I connect the machine directly to the web, I can log on to these sites no problem. I'm convinced my firewall is causing my problems, and I'm fairly sure it can be fixed simple with a new rule (or two) for the firewall. Unfortunately my friend is on a 3 week vacation and can't help me. Any help/suggestions would be appreciated. TIA Heath Here is the rules extracted from rc.firewall: if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then $fwcmd add 100 divert natd all from any to any via ${natd_interface} fi ... $fwcmd add 150 pass all from any to any via lo0 #$fwcmd add 200 deny all from any to 127.0.0.0/8 ... # set these to your outside interface network and netmask and ip oif="ed0" onet="216.101.252.0" omask="255.255.255.0" oip="216.101.252.???" # set these to your inside interface network and netmask and ip iif="ed1" inet="192.168.10.0" imask="255.255.255.0" iip="192.168.10.1" # Stop spoofing $fwcmd add 300 deny log all from ${inet}:${imask} to any in via ${oif} # Begin basic rules $fwcmd add 500 pass all from ${inet}:${imask} to any via ${iif} $fwcmd add 550 pass all from ${oip} to any via ${oif} #allow incoming DNS $fwcmd add 600 pass udp from any 53 to ${inet}:${imask} $fwcmd add 620 pass udp from any 53 to ${oip} $fwcmd add 630 pass udp from any to ${oip} 53 #allow DHCP internally $fwcmd add 650 pass udp from any 68 to any via ${iif} # Allow TCP through if setup succeeded $fwcmd add 700 pass tcp from any to any established # Allow setup of incoming email $fwcmd add 1400 pass tcp from any to ${oip} 25 setup # Allow access to our DNS $fwcmd add 1500 pass tcp from any to ${oip} 53 setup # Allow access to our WWW $fwcmd add 1600 pass tcp from any to ${oip} 80 setup # Allow access to our WWW and https $fwcmd add 1650 pass tcp from any to ${oip} 443 setup # Reject&Log all setup of incoming connections from the outside $fwcmd add 1700 deny log tcp from any to any in via ${oif} setup $fwcmd add 65000 deny log all from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message