Ben Quick wrote:
Hello all,
I've been hunting around for information on IPFW, and how to set up the rules I require. I found a tutorial that seemed to fit my needs:

However, I can't get the config to work. I've commented out all the deny rules. In this instance, I can browse the web via SQUID that's installed on the IPFW box. I can't browse the web directly, though. That is the only external access I get. I can't ping any sites, DNS lookups fail (I've set the DNS servers on the client workstation to be that my ISP's. I also tried setting it to look at the IPFW box first, with no luck)

Can anyone offer help on this one? I'm getting stuck in a muddle of mis-understanding

My setup is as follows

Internal LAN is 192.168.0.x
IPFW machine has 2 NIC's:
rl1 connects directly to my DSL router (D-Link 504) which has an internal IP of along with it's public IP on the DSL port

The ruleset I'd like is as follows

For client IP's of - allow the following
HTTP \ HTTPS - But not directly, force them to use SQUID (Listening on port 8080, and using squidGuard for content filtering)
POP3 - But, only so far as
IMAP - But, only so far as
SMTP - But, only so far as
DNS lookups - But, only with and
NNTP - But, only so far as
FTP - To anywhere

For client IP's of - no access to anything external to the 192.168.0.x network should be granted

I'd like the IPFW box and to be able to SSH out to anywhere.

I'd like to allow SSH inbound from a specific IP to be directed at the IPFW box (The port forwarding can be done with the DSL router) - SSH isn't currently listening on that interface, I'll get to that later :)

Does this sound like a reasonable ruleset? Is anyone willing to help me generate it?



Your best coarse of action is to add: 'ipfw add 65000 deny log all from any to any'. Then watch #/var/log/security for the hits as you attempt to access the internet. Build your firewall rules above the 65000 rule to eliminate the traffic from the log. The log will give you all the correct addresses and ports.

-Ryan Merrick

_______________________________________________ [EMAIL PROTECTED] mailing list To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to