On Jul 18, 2011, at 10:41 AM, David van Rensburg - PC Network wrote: > Ive been having a problem with ipfw and nat. I can get nat to work but I want > the following: > My lan must only have access to outgoing port 80
For web access to be useful for most cases, you also need to permit 443 for HTTPS. > I want to be able to allow some lan users access to ftp and outgoing 3389 > (remote desktop), but by default only port 80 > I have transparent proxy work in ipfw. > I want to be able to limit outgoing and incoming to the freebsd server > according to port. > I want a default deny. You haven't mentioned anything about DNS, NTP, SMTP & POP3/IMAP. For web access or remote desktop to function, you'll need to permit DNS traffic so they can find the machines they are connecting to. And most networks want to have network time and email working. > ANY help or point me in the right direction would be great. I have been > googling for a week now and cant find anything similar. Most examples don't > use a default deny and don't allow certain services to the lan users. Start with: http://www.freebsd.org/doc/handbook/firewalls-ipfw.html ...and the books recommended in /etc/rc.firewall: # If you don't know enough about packet filtering, we suggest that you # take time to read this book: # # Building Internet Firewalls, 2nd Edition # Brent Chapman and Elizabeth Zwicky # # O'Reilly & Associates, Inc # ISBN 1-56592-871-7 # http://www.ora.com/ # http://www.oreilly.com/catalog/fire2/ # # For a more advanced treatment of Internet Security read: # # Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition # William R. Cheswick, Steven M. Bellowin, Aviel D. Rubin # # Addison-Wesley / Prentice Hall # ISBN 0-201-63466-X # http://www.pearsonhighered.com/ # http://www.pearsonhighered.com/educator/academic/product/0,3110,020163466X,00.html Regards, -- -Chuck _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
