Date: Mon, 18 Feb 2002 19:55:16 -0500 From: Kevin Gross <kevin_gross@ameritech.net> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Ipfw, nntp and squid Message-ID: <B8970CA4.C167%kevin_gross@ameritech.net>
next in thread | raw e-mail | index | archive | help
Hi all, I'm working with FreeBSD 4.5 cvsup'ed to stable yesterday evening. The FBSD box has two network cards, one for ADSL and the other for my LAN. I'm successfully sharing the pppoe internet connection. My network is shielded by a simple firewall (rules below) thanks to Marc Silver. I'm able to browse the web and send/receive email from my network computers (192.168.0.x). However, I am unable to read the news on Ameritech.net's news server. Their news server requires authentication and I'm not sure how to set up the firewall to allow this. News servers which don't require authentication work just fine. Any suggestions? Also, while this set up seems to work well, I'd like to filter out ads, unintentional porn, and other such annoyances. (My wife was looking for maternity clothing online and porn magically started popping up!) I've installed squid with the hopes of running squidGuard to address these annoyances (config files below). However, when trying to connect to a website (http://www.google.com) through the proxy, I get errors that appear to be related to DNS (see below). I'm not sure that I've got squid set up properly, but I'm guessing that my firewall is getting in the way. So, being a novice, I pose the following questions: 1) Is it possible to get squid and a firewall working together on the same box? 2) Is there a better solution for dealing with these annoyances, e.g. use a more sophisticated elaborate firewall, adzapper, ... Squid seems like it might be overkill for what I'm trying to do. And since I'm a rookie in this area, I'll solicit any other advice, suggestions, and/or pointers to information for making my network more secure and browsing experience less annoying. Thanks, Kevin Gross -----> ipfw firewall script <----- # Firewall rules # Written by Marc Silver (marcs@draenor.org) # http://draenor.org/ipfw # Freely distributable # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via tun0 # Allow all data from my network card and localhost. Make sure you # change your network card (mine was fxp0) before you reboot. :) $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via dc0 # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit tun0 setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via tun0 established # Everyone on the internet is allowed to connect to the following # services on the machine. This example specifically allows connections # to ssh and apache. #$fwcmd add allow tcp from any to any 80 setup #$fwcmd add allow tcp from any to any 22 setup # This sends a RESET to all ident packets. Don't think I need this. #$fwcmd add reset log tcp from any to any 113 in recv tun0 # Allow newsgroup access $fwcmd add allow tcp from any 119 to any 119 setup # Allow outgoing DNS queries ONLY to the specified servers. $fwcmd add allow udp from any to 206.141.195.13 53 out xmit tun0 $fwcmd add allow udp from any to 206.141.192.60 53 out xmit tun0 # Allow them back in with the answers... :) $fwcmd add allow udp from 206.141.195.13 53 to any in recv tun0 $fwcmd add allow udp from 206.141.192.60 53 to any in recv tun0 # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. #$fwcmd add allow icmp from any to any # Deny all the rest. $fwcmd add deny log ip from any to any ========================================= -----> squid.conf <----- hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY dns_nameservers 206.141.195.13 206.141.192.60 66.73.20.40 206.141.193.55 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl tomcat src 192.168.0.2 acl warthog src 192.168.0.1 http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow tomcat http_access allow localhost http_access allow warthog http_access deny all icp_access allow tomcat icp_access deny all redirect_program /usr/local/bin/squidGuard ========================================= -----> squid error message <----- The requested URL could not be retrieved While trying to retrieve the URL: http://admin.foo.bar.no/cgi/blocked? The following error was encountered: Unable to determine IP address from host name for admin.foo.bar.no The dnsserver returned: Name Error: The domain name does not exist. This means that: The cache was not able to resolve the hostname presented in the URL. Check if the address is correct. Your cache administrator is webmaster. ========================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B8970CA4.C167%kevin_gross>