> On Sun, 2 Aug 1998, Ashley M. Kirchner wrote:
>
> > Can IPmasq be used to block access to certain places on the net?
> > In other words, can I prevent my users, sitting on IPmasq machines, from
> > getting to certain web/ftp-sites (or anything else for that matter)?
>
> Well, you can restrict access to particular sites from computers sitting
> *behind* an ip-masq firewall. I don't know offhand of a simple way to
> restrict access from a user logged in on the firewall itself.
The outgoing rules applay to the firewallhost itself too. So all restrictions
on the outgoing rules (ipfwadm -O ...) apply to all forwarded local hosts,
all masqueraded local hosts and for the firewall host itself.
Of course, one can use the masquerading rule to limit access by using a
positive allow-mask instead of the 'wildcard' 0.0.0.0 as Dest-Address. EG:
ipfwadm -Fa accept -m -S 192.168.0.0/16 -D 129.0.0.0/8
This limits all masq'ed hosts access only to ip-addresses starting with 129.
For (more complex) negative (deny-) masks you have to use firewall-rules.
There is a firewallhowto somewhere, but at the moment i dont know where.
> > If so, can someone give me a pointer?
>
> Check out the ip masq mini-HOWTO and ipfwadm man pages, in particular the
> sections describing firewall (-F) rules.
>
i think you got this wrong, -F does _not_ mean firewall, it stands for
'forward rules'. The whole set -I, -O and -F are used for a firewall config :-)
>
> |Frederick F. Gleason, Jr.|WAVA Radio - 105 FM |Voice: 1-(703)-807-2266 |
> | Chief Engineer |1901 N. Moore Street| FAX: 1-(703)-807-2248 |
> | |Arlington, VA 22209 | Web: HTTP://www.wava.com|
>
Juergen P. Meier
______________________________________________________
Email: [EMAIL PROTECTED]
XEmacs is my Operating System, Linux my device driver.
--------------------------------------------------------------------------
Anyone sending unwanted advertising e-mail to this address will be charged
$25 for network traffic and computing time. By extracting my address from
this message or its header, you agree to these terms.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
