Hi Ive been having a problem with ipfw and nat. I can get nat to work but I want the following: My lan must only have access to outgoing port 80 I want to be able to allow some lan users access to ftp and outgoing 3389 (remote desktop), but by default only port 80 I have transparent proxy work in ipfw. I want to be able to limit outgoing and incoming to the freebsd server according to port. I want a default deny.
ANY help or point me in the right direction would be great. I have been googling for a week now and cant find anything similar. Most examples don't use a default deny and don't allow certain services to the lan users. oif="rl0" freebsd box with 2 network cards 192.168.1.3 - lan side (all lan clients 192.168.1.x) 192.168.0.2 - router side of card (machine default gateways to 192.168.0.1 which is the router) Rc.conf: gateway_enable="YES" natd_enable="YES" natd_interface="rl0" natd_flags="-s -u -m" firewall_enable="YES" firewall_logging_enable="YES" firewall_quiet="NO" #firewall_type="simple blah" firewall_script="/etc/firewall.local" natd_flags="-f /etc/natd.conf" Im using the following rules which isn't working properly eg the actual freebsd can ftp out for some reason. 00100 0 0 divert 8668 ip from not me to any via rl0 00150 0 0 fwd 192.168.1.3,3128 tcp from not me to any dst-port 80 00250 24 1440 allow ip from any to any via lo0 00350 0 0 deny ip from any to 127.0.0.0/8 00450 0 0 deny ip from 127.0.0.0/8 to any 00550 0 0 deny tcp from any to any frag 00650 0 0 check-state 00750 241 27480 allow tcp from any to any established 00850 24 5676 allow ip from any to any out keep-state 00950 0 0 allow tcp from any to any dst-port 22 in 01050 0 0 allow tcp from any to any dst-port 22 out 01150 0 0 allow udp from any to any dst-port 53 in 01250 0 0 allow tcp from any to any dst-port 53 in 01350 0 0 allow udp from any to any dst-port 53 out 01450 0 0 allow tcp from any to any dst-port 53 out 01550 0 0 allow tcp from 192.168.1.99 to any dst-port 3389 01650 462 53744 deny ip from any to any 65535 122 12588 allow ip from any to any David van Rensburg PC Network Tel: 0215107600 Fax: 0215104165 www.pcnetwork.co.za<http://www.pcnetwork.co.za/> This electronic communication and the attached file(s) are subject to terms and conditions which can be accessed on the following link: http://www.pcnetwork.co.za/terms as well as the acceptable usage policy which can be accessed on: http://www.pcnetwork.co.za/aup If you are unable to view the above, please contact supp...@pcnetwork.co.za<mailto:supp...@pcnetwork.co.za> for a copy. _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
