I think it would be much easier to put the right filtering rules in to deny outbound
port http tcp/80 from all but the Wingate's IP.
Not sure offhand what they are, but I think something like the following. These
would, of course, go in the "manual setup" part of the GUI. This isn't quite right,
because I just tried it and didn't get the desired results. Anyone see my mistake?
Description of rules follows.
ipfwadm -O -p accept
ipfwadm -O -i accept -P tcp -S 192.168.0.100/32 -D 0.0.0.0/0 80
ipfwadm -O -i deny -P tcp -S 192.168.0.0/24 -D 0.0.0.0/0 80
1st line: set default outbound policy to accept. This is already true by default, but
I put it here because maybe that's my mistake? But I think if you set it to deny too
much will get turned off (ICQ, etc.).
2nd line: For outbound ruleset, insert an accept rule allowing just the wingate to go
to the whole world on port tcp/80.
3rd line: For outbound ruleset, insert a deny rule denying all of the internal network
going to the whole world on port tcp/80.
The idea, of course, is for the permit rule to take precedence so the one machine is
allowed, but the other 253 host IPs on that 24 bit network are not allowed.
Why doesn't this work? I was trying it by using the IP of my (one) internal host as
the permit rule. But then I can't web anywhere... It didn't seem to matter the order
I put the two rules in. If you're playing for this, the following command removes all
rules for the -O direction (which there weren't any to begin with), setting things
back to rights. The second line below lists all rules. The third line is the help
for ipfwadm.
ipfwadm -O -f
ipfwadm -O -l
ipfwadm -h
Not sure why this fails....
At 07:53 AM 2/13/00 -0800, you wrote:
>You don't say what OS is on the Wingate server. If it's WinNT or Win98, you
>can bind two IP addresses to the NIC. And then change the subnet that the
>client workstations are on(say 192.168.1.x). Yes, it's possible to do this
>under Win98, but it's registry edits and I would recommend you look up the
>procedure in Microsoft documentation. WinNT makes it easy to bind two IP
>addresses, but putting two NIC's in WinNT is easy and makes it harder to
>bypass the Wingate server as you can seperate the two subnets completely.
>
>Lyle
>
>-----Original Message-----
>From: Affnan Ramli [mailto:[EMAIL PROTECTED]]
>Sent: Sunday, February 13, 2000 9:32 AM
>To: [EMAIL PROTECTED]
>Subject: [ShareTheNet] Proxy Caching Software and STN
>
>
>Hello,,
>
>STN been running finem for the last 18 month or so now. I have a problem, if
>
>anyone out there can help it would be great.
>
>I been using Proxy Caching Software behind STN namely Wingate, reason being
>I want that extra speed proxy software can give me, and reliability of STN
>connection for other services namely ICQ, IRC, etc etc almost all.
>
>www browsing is made from workstation via wingate to STN and back, all other
>
>services is direct to STN. The Internet legislation over here is a bit
>strick, so I need to filter certain sites, namely xxx. Wingate will do the
>job fine. However it can be bypass, by selecting direct connection from
>Netscape or IE.
>
>Is there a way in STN to allow only 1 (the one running wingate,let say ip
>address 192.168.0.100) pc to access the www port, but other port for
>ICQ,RealAudio,etc can be access by all.
>
>I really need this setup, so that I can stay within the law here.
>
>One alternative is to put 2 NIC in the wingate machine, 1 NIC for STN and
>the other for others workstation.
>
>Appreciate all the help I can get.
>
>Affnan
>
>P/s to use Net Nanny/Cyber Patrol/Cyber Sitter from individual workstation
>prove to be useless.
>______________________________________________________
>Get Your Private, Free Email at http://www.hotmail.com
>
>
>--
>Visit http://www.ShareTheNet.com for info about ShareTheNet
>Visit http://www.topica.com/lists/sharethenet for info about this list
>
>_____________________________________________________________
>Who will win the Oscars? Spout off on our Entertainment list!
>http://www.topica.com/lists/showbiztalk
>
>--
>Visit http://www.ShareTheNet.com for info about ShareTheNet
>Visit http://www.topica.com/lists/sharethenet for info about this list
>
>_____________________________________________________________
>Who will win the Oscars? Spout off on our Entertainment list!
>http://www.topica.com/lists/showbiztalk
>
Patrick Belliotti
PGP Key available at pgpkeys.mit.edu
PGP fingerprint: 705C B779 76B7 566F 78FC 6CC2 09F0 5EE6 C42D F0B7
--
Visit http://www.ShareTheNet.com for info about ShareTheNet
Visit http://www.topica.com/lists/sharethenet for info about this list
_____________________________________________________________
Who will win the Oscars? Spout off on our Entertainment list!
http://www.topica.com/lists/showbiztalk
