--
James E. Housley PGP: 1024/03983B4D
System Supply, Inc. 2C 3F 3A 0D A8 D8 C3 13
Pager: page...@notepage.com 7C F0 B5 BF 27 8B 92 FE
"The box said 'Requires Windows 95, NT, or better,' so I installed
FreeBSD"
--- Begin Message ---
konstantinos.dryllera...@dg21.cec.be wrote:
>
> Dear all,
>
>
> It seems to me that outgoing packets through the outer interface should first
> be run (somehow) through the firewall and if succesfull pass through natd
> (without a further re-injection to the firewall ruleset) whereas incoming
> packets should pass first from natd and then pass through the firewall rules
> (the existing operation). [ It is clear that only "deny" rules can be added
> before the "divert" rule to control the outgoing packets of internal machines
> and this can prove very tricky and tedious ].
>
Lets assume the out0 it the interface to the internet and in0 is you
internal interface. And that 192.168.0.x is your internal network. If
that is true you should be able to do:
allow all from 192.168.0.0/24 to 192.168.0.0/24 # allow all internal to
# talk to each other
allow tcp from 192.169.0.0/24 to any 25 # Every has mail
allow udp from 192.168.0.0/25 to any 53 # DNS lookup
allow all from boss to any # boss has full reign
deny tcp from secretary to any 80 # no web for secretary
divert 8668 ip from any to any via out0
deny tcp from any to any 137-139 in via out0 # Block netbios
deny udp from any to any 53 in via out0 # Allow DNS in
.....
the other program to look at is ipfilter.
--
James E. Housley PGP: 1024/03983B4D
System Supply, Inc. 2C 3F 3A 0D A8 D8 C3 13
Pager: page...@notepage.com 7C F0 B5 BF 27 8B 92 FE
"The box said 'Requires Windows 95, NT, or better,' so I installed
FreeBSD"
--- End Message ---
