At 22:25 14-2-2002 +0100, Rogier R. Mulhuijzen wrote:
Oops, forgot a few rules at the end (bad copy/paste)

So here it is again.

tl0 is the interface on internal LAN
lnc0 is the interface on external LAN


#divert all http requests from internal network to quid cache
add 00510 fwd tcp from to any 80 in via tl0
add 00520 fwd tcp from to any 80 in via tl0
add 00530 fwd tcp from to any 80 in via tl0

#allow all traffic to/from internal network
add 01000 allow all from any to any via tl0

#translate incoming packets (NAT)
add 30000 divert natd all from any to <internet IP of machine> in via lnc0

#allow incoming packets for hosts on internal network
#(Since we translated them, we're sure they belong to existing
add 30110 allow all from any to in via lnc0
add 30111 allow all from any to in via lnc0
add 30112 allow all from any to in via lnc0

#allow SSH from XXXXXXXX
add 30200 allow tcp from <some internet IP> to <internet IP of machine> 22 
in via lnc0
add 30210 allow tcp from <internet IP of machine> 22 to <some internet IP> 
out via lnc0

#allow DNS queries to UUnet DNS servers
add 30300 allow udp from <DNS1 IP> 53 to <internet IP of machine> in via lnc0
add 30310 allow udp from <internet IP of machine> to <DNS1 IP> 53 out via lnc0
add 30320 allow udp from <DNS2 IP> 53 to <internet IP of machine> in via lnc0
add 30330 allow udp from <internet IP of machine> to <DNS2 IP> 53 out via lnc0

#allow outgoing traffic from internal hosts
#(use skipto 34000 instead of allow because they still need translation)
add 31010 skipto 34000 all from to any out via lnc0
add 31020 skipto 34000 all from to any out via lnc0
add 31030 skipto 34000 all from to any out via lnc0

#allow outgoing connections from local machine (using dynamic rules)
add 32000 allow all from <internet IP of machine> to any out via lnc0 

#block and log everything that hasn't been allowed so far
add 33000 deny log all from any to any

#translate outgoing packets (NAT)
add 34000 divert natd all from any to any out via lnc0

#allow translated packets to go out
add 34010 allow all from to any out via lnc0

#block and log whatever remains (shouldn't be anything)
add 65000 deny log all from any to any




To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to