Date: Sat, 17 Apr 2004 00:20:59 +0000 From: Igor Popov <IgorPopov@NewMail.RU> To: ipfw@freebsd.org Subject: natd and squid in jail Message-ID: <200404170020.59722.IgorPopov@NewMail.RU>
next in thread | raw e-mail | index | archive | help
Hi, I have home network, that consits of two macines, the first one (freebsd) has dialup access to inet. Squid runs on freebsd to allow access to inet from my second machin. For sake of experiment I tried to run squid in jail. But it doesn't work with inet with ipfw and natd, but it works fine with ipfilter and ipnat and OpenBSD's pf. There are my ipfw rules: fwcmd="/sbin/ipfw -q" # Force a flushing of the current rules before we reload. $fwcmd -f flush #automated anti-spoofing $fwcmd add deny log ip from any to any not verrevpath in recv ng0 #natd $fwcmd add divert natd all from any to any via ng0 # Allow all localhost connections $fwcmd add allow all from any to any via lo0 $fwcmd add deny log all from any to 127.0.0.0/8 $fwcmd add deny log all from 127.0.0.0/8 to any # Allow all connections that have dynamic rules built for them, # but deny established connections that don't have a dynamic rule. # See ipfw(8) for details. $fwcmd add check-state $fwcmd add deny tcp from any to any established # Allow all connections from my network card that I initiate $fwcmd add allow tcp from me to any out xmit any setup keep-state $fwcmd add deny tcp from me to any $fwcmd add allow ip from me to any out xmit any keep-state # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to me 113 in recv any # Enable ICMP $fwcmd add deny log icmp from any to me icmptypes 8,13 $fwcmd add allow icmp from me to any keep-state #enable access for squid via localnet $fwcmd add allow tcp from 192.168.1.0/24 to me dst-port 3128 in recv rl0 setup keep-state # Enable IPSec $fwcmd add allow log udp from any to me src-port isakmp dst-port isakmp via rl0 keep-state $fwcmd add allow esp from any to any via rl0 $fwcmd add allow ah from any to any via rl0 # Deny all the rest. $fwcmd add deny log ip from any to any rl0: 192.168.1.1 mask 0xffffff00, 192.168.1.2 mask 0xffffff80 when I do `ipfw -d show` or `tcpdump - ng0`, I see that squid begins connection and there is a respond, but it can't achieve to squid. -- Ten years of rejection slips is nature's way of telling you to stop writing. -- R. Geis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404170020.59722.IgorPopov>