Hi Subhro, Thanks for your reply
The reason I want the server to route between the internal network and the router is because I only want to allow specific clients out onto the internet, and I can't see how to do this with the router I've got. Plus, it's a good excuse to try to learn something new :-)
You say it's expected that I can't ping. It's things like this that confuse me, due to lack of understanding on my part, I've allowed all traffic through. Of so I thought...
I've had a quick skim of the HOWTO, and it seems informative. But, it's still the IPFW rules that get me all confused
Ben
Subhro wrote:
Hi Ben,
First of all I must say you explained your requirements very well. Not many people can precisely say what they need. Bravo!
Let's get to the point now. First of all I d don't find a good reason why you would like to introduce your system (192.168.0.10) (Lets call it server) to work as a router although you have a dedicated router. You can be well off adding routes in the D-Link and be off with it. If you really want to live with your current setup, then you must decide whether you want to go with NAT or with transparent proxy. With your current setup, it is perfectly all right that you can't ping any external hosts. I would recommend that you go with NAT guarded by ipfw at the server. But you may also go with transparent proxy as it has its own advantages. Refer to the following page:
http://www.erudition.net/freebsd/NAT-HOWTO
This has a really good tutorial on setting up NAT
Regards Subhro
Subhro Sankha Kar Indian Institute of Information Technology Block AQ-13/1, Sector V Salt Lake City PIN 700091 India
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Quick Sent: Wednesday, January 07, 2004 11:05 PM To: [EMAIL PROTECTED] Subject: IPFW confusion
Hello all, I've been hunting around for information on IPFW, and how to set up the rules I require. I found a tutorial that seemed to fit my needs: http://www.mostgraveconcern.com/freebsd/ipfw.html
However, I can't get the config to work. I've commented out all the deny rules. In this instance, I can browse the web via SQUID that's installed on the IPFW box. I can't browse the web directly, though. That is the only external access I get. I can't ping any sites, DNS lookups fail (I've set the DNS servers on the client workstation to be that my ISP's. I also tried setting it to look at the IPFW box first, with no luck)
Can anyone offer help on this one? I'm getting stuck in a muddle of mis-understanding
My setup is as follows
Internal LAN is 192.168.0.x IPFW machine has 2 NIC's: rl0: 192.168.0.10 rl1: 172.16.200.10 rl1 connects directly to my DSL router (D-Link 504) which has an internal IP of 172.16.200.1 along with it's public IP on the DSL port
The ruleset I'd like is as follows
For client IP's of 192.168.0.1 - 192.168.0.20 allow the following HTTP \ HTTPS - But not directly, force them to use SQUID (Listening on port 8080, and using squidGuard for content filtering) POP3 - But, only so far as pop.myisp.com IMAP - But, only so far as imap.myisp.com SMTP - But, only so far as smtp.myisp.com DNS lookups - But, only with ns1.myisp.com and ns2.myisp.com NNTP - But, only so far as news.myisp.com FTP - To anywhere
For client IP's of 192.168.0.21 - 192.168.0.254 no access to anything external to the 192.168.0.x network should be granted
I'd like the IPFW box and 192.168.0.1 to be able to SSH out to anywhere.
I'd like to allow SSH inbound from a specific IP to be directed at the IPFW box (The port forwarding can be done with the DSL router) - SSH isn't currently listening on that interface, I'll get to that later :)
Does this sound like a reasonable ruleset? Is anyone willing to help me generate it?
Thanks
Ben
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
