I tried converting those iptables rules myself. How do they look? #Allow Squid outbound access on port 8883 (Dansguardian) ipfw add allow tcp from 192.168.0.154 to any dst-port 8883 out uid squid
#Allow Squid outbound access on port 80 ipfw add allow tcp from 192.168.0.154 to any dst-port 80 out uid squid #Redirect all requests on port 80 to 8883 (Dansguardian) ipfw add fwd 127.0.0.1,8883 tcp from not me to any dst-port 80 # Accept requests on port 3333 from nobody (Dansguardian user) ipfw add allow tcp from 192.168.0.154 to any dst-port 3333 out uid nobody //this is to allow clients on same machine to go from browser->dansguardian->squid->internet //both services are running on the local loopback ip address On Thu, Sep 9, 2010 at 9:00 AM, Tony <[email protected]> wrote: > Can some please convert these iptable rules in IPFW > > #Allow Squid outbound access on port 8080 (Dansguardian) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 8080 -m owner > --uid-owner squid -j ACCEPT > > # Allow Squid outbound access on port 80 > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner > squid -j ACCEPT > > # Don't redirect root on port 80 > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner > root -j ACCEPT > > # Don't redirect root on port 3128 (Squid) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner > --uid-owner root -j ACCEPT > > # Redirect all requests on port 80 to 8080 (Dansguardian) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT > --to-ports 8080 > > # Accept requests on port 3128 from nobody (Dansguardian user) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner > --uid-owner nobody -j ACCEPT > > # Redirect all other requests on port 3128 to 8080 to prevent users from > getting around Dansguardian by going directly to Squid > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT > --to-ports 8080 > > # Delete the NOTRACK rule that SuSEfirewall2 adds to the raw table of > the OUTPUT chain > iptables -t raw -D OUTPUT -o lo -j NOTRACK > > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[email protected]"
