Re: Using IPFW to bypass hotmail.com
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 9 Jan 2007 15:28:44 +0100 (CET) Oliver Fromme <[EMAIL PROTECTED]> wrote: > Tek Bahadur Limbu wrote: > > I run a transparent squid proxy using IPFW below: > > > > ipfw -q add allow tcp from 192.168.55.0/24 to any 3128 in via > > bge0 > > That's not the rule for transparent proxying. For that you > need a "forward" (or "fwd") rule, not an "allow" rule. > (Of course, the "allow" rule above might still be needed, > but it's not the one that actually enables the transparent > proxying). > > > Now I want the IP: 192.168.55.22 to bypass Squid when requesting > > www.hotmail.com. > > > > How do I go about doing this using IPFW? Can somebody shed some > > light on this issue? > > Simply add an "allow" rule for that IP, and place it > _before_ the "forward" (or "fwd") rule in your rule set: > > allow tcp from 192.168.55.22 to www.hotmail.com > > Note that the hostname is not resolved dynamically, but > at the time the rule is added to teh rule set. > > Best regards >Oliver > > -- > Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing > Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd > Any opinions expressed in this message may be personal to the author > and may not necessarily reflect the opinions of secnetix in any way. > > "To this day, many C programmers believe that 'strong typing' > just means pounding extra hard on the keyboard." > -- Peter van der Linden > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > Dear Oliver Fromme, Thanks for your input. I really appreciate it. I have rechecked my firewall and I do have the following rule: $IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 in I have place your rule on top of the above rules like this: ipfw -q allow tcp from 192.168.55.22 to www.hotmail.com ipfw -a add fwd 127.0.0.1,3128 tcp from any to any 80 in ipfw -q add allow tcp from 192.168.55.0/24 to any 3128 in via bge0 Are the above rules correct ? Once again, thanks alot. -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFFpJc4VrOl+eVhOvYRAigpAJ9WDSsy7CsXtCI9qKwXLqsujnmHXQCcDstb wwjEiMWm0P280aBFuhDsq+0= =Vcsn -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Using IPFW to bypass hotmail.com
Tek Bahadur Limbu wrote: > I run a transparent squid proxy using IPFW below: > > ipfw -q add allow tcp from 192.168.55.0/24 to any 3128 in via bge0 That's not the rule for transparent proxying. For that you need a "forward" (or "fwd") rule, not an "allow" rule. (Of course, the "allow" rule above might still be needed, but it's not the one that actually enables the transparent proxying). > Now I want the IP: 192.168.55.22 to bypass Squid when requesting > www.hotmail.com. > > How do I go about doing this using IPFW? Can somebody shed some light > on this issue? Simply add an "allow" rule for that IP, and place it _before_ the "forward" (or "fwd") rule in your rule set: allow tcp from 192.168.55.22 to www.hotmail.com Note that the hostname is not resolved dynamically, but at the time the rule is added to teh rule set. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "To this day, many C programmers believe that 'strong typing' just means pounding extra hard on the keyboard." -- Peter van der Linden ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Using IPFW to redirect all outgoing SMTP traffic to localhost
Kieran Simkin wrote: I have an IPFW question that I'm a bit stuck on and could do with some help. Basically what I'm trying to do is count and limit the number of e-mails each user on the system is allowed to send. I've got this working fine within the e-mail server and everything's dandy, except for the fact that it's easy to bypass the mail server by making direct SMTP connections to the target hosts. Yes. Use the firewall to do something like: ipfw add pass tcp from any to MAILSERVER 25 keep-state ipfw add pass tcp from MAILSERVER to any 25 keep-state ipfw add unreach filter-prohib log tcp from any to any 25 (I suppose you could use a deny instead, but getting an actual ICMP error is probably more useful in this situation) -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Using IPFW & DUMMYNET with an existing IPFILTER/IPNAT setup for QoS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 J. Seth Henry wrote: | Hello, | I have an existing FreeBSD based router/internet gateway system that is using | ipfilter & ipnat. It performs quite well, and my wife would be mightily | irritated if I screwed it up. :) | http://www.phildev.net/ipf/IPFfreebsd.html#12 HTH, Siddhartha -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBGyumOGaxOP7knVwRAiaYAKCJweNshwFaDKBBAtYqq6SNCb9ZdQCbBZec VEmbnLEjV7arnsWz9k/jm2c= =xpRU -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Using IPFW/NAT with multiport PCI cards
> I am writing to request for advise/recommendations on the > subject. I've > been tasked to build a router/firewall based on FreeBSD. I'd > like to use > 5.2-RELEASE. > > Now my only problem is that I have played a little with ipfw in a > situation where I have just two interfaces, 1 external and 1 internal. > My current requirement however involves one external interface and > four (or more) internal interfaces (which should all be SEPARATE > networks, invisible from each other). Sure, this is possible. To tell you the truth, if you're not sure how to do it, the cheapest and easiest way would be to just get 4 ethernet cards for the internal interfaces. However, the most dynamic way would be to get an ethernet card that supports 802.1q or Cisco ISL, which are switch trunking protocols. You could then separate the networks into different virtual LANs in a switch, that was connected to the 802.1q NIC. That NIC would then have an IP address from each of the networks. I'm not sure how 802.1q can be configured in FreeBSD, but that shouldn't be too hard - the more difficult part should be configuring the switch. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Using IPFW/NAT with multiport PCI cards
On Tue, Mar 30, 2004 at 11:06:16AM +0300, Odhiambo Washington wrote:
> Now my only problem is that I have played a little with ipfw in a
> situation where I have just two interfaces, 1 external and 1 internal.
> My current requirement however involves one external interface and
> four (or more) internal interfaces (which should all be SEPARATE
> networks, invisible from each other).
>
> Is this doable? (I hope someone has done this before). I would say I am
> a total newbie on this one.
Not only is it doable, it's fairly trivial if you've done a 1 in, 1 out
ipfw firewall before. You just take that idea and grow it a little.
> 2. Guides/Pointers on HOWTO configure this WRT to ipfw configuration.
>Any minute gotchas/clues will be highly appreciated. URL links
>pointing to people's experiences also welcome.
Just set the firewall to deny by default and add your rules really...
Here's an example that would allow FTP to one network and HTTP to
another...
${fwcmd} add allow tcp from any to 192.168.1.0/24 80 tcpflags syn keep-state in via
xl0
${fwcmd} add allow tcp from any to 192.168.2.0/24 21 tcpflags syn keep-state in via
xl0
You can also have rules between your networks as well... This one allows
all machines on one of the protected networks to ssh to all machines in
the other network.
${fwcmd} add allow tcp from 192.168.1.0/24 to 192.168.2.0/24 22 tcpflags syn
keep-state in via xl1
Note the following things about this rule...
1. I've specified a source range to allow.
2. I've used a different interface. This guarantees that this traffic
isn't coming in via the main external interface, but that it is
coming in on one of the protected interfaces.
Of course, everywhere I've used an entire range here, you could use a
single IP range. Combining IP addresses with via interface statements
lets you be pretty flexible :)
Hope this helps some ?
--
Wayne Pascoe
BSD is for people who love UNIX; Linux is for
people who hate Windows
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: using ipfw
Karan Gupta wrote: Newbie here so pls excuse if this question sounds trivial Here's a bunch of links posted to questions a little while ago for ipfw help: http://freebsd.amazingdev.com/blog/archives/000112.html -- Jonathan Arnold (mailto:[EMAIL PROTECTED]) Daemon Dancing in the Dark, a FreeBSD weblog: http://freebsd.amazingdev.com/blog/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: using ipfw
Karan Gupta wrote: Newbie here so pls excuse if this question sounds trivial i use a single bsd router to service 2 properties. I want ppl on prop A to get 1.024kbit/s and the ones on prop B to get 256kbit/sprop B is connected on the same network as prop A using a wireless device that has the an IP within the network range. Can is add a pipe to limit data from the IP address of the wireless device to 256kbit/s & achieve what i desire? Karan Gupta (949) 355-4042 [EMAIL PROTECTED] EdgeFocus Inc 65 Enterprise Aliso Viejo CA 92656 Something like this, for one pipe, assuming an xl NIC and using your dotted quad IP's: ipfw add pipe 1 tcp from any to ip.of.some.box via xl0 ipfw pipe 1 config bw 1024Kbit/s You probably need to check that you have the following in your kernel config options DUMMYNET options HZ=1000 HTH, Kevin Kinsey DaleCo, S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: using ipfw and ipf/ipnat together
On Tue, 17 Feb 2004, Nelis Lamprecht wrote: > Hi, > > I would like to make use of ipfw/dummynet traffic shaper and use it > together with ipnat/ipf's filtering. Hope this is possible ? It works fine > > Can someone suggest what I would or would not need to use in my rc.conf > and kernel please. I have selected the following ( FreeBSD 5.2R ): It looks fine > > Seeing as though I'm not using ipfw filtering I thought I could just > allow everything through by default. Will dummynet still work if > IPFIREWALL_DEFAULT_TO_ACCEPT is set ? Yes, it will. Fer ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
