[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Squid redirection and firewall
- To: afnog at afnog.org
- Subject: Squid redirection and firewall
- From: Sewa AGBODJAN <sewa at cafe.tg>
- Date: Mon, 17 Jun 2002 12:36:50 +0000
- Content-Transfer-Encoding: 7bit
- Content-Type: text/plain; charset=us-ascii
- Delivered-To: afnog-archive at lists.eahd.or.ug
- Delivered-To: afnog-outgoing at afnog.org
- Delivered-To: afnog at afnog.org
- Reply-To: Sewa AGBODJAN <sewa at cafe.tg>
- Sender: owner-afnog at afnog.org
Hi,
I'm running FreeBSD box as router. This router is linking our local
network to DMZ and it's also working as a firewall. Its main goal
is to deny TCP connection the outside to the inside.
On this machine i'm also running squid doing interception for all www
coming from the local network and www redirection coming from the
border gateway.
For Interception i'm doing a forwarding rule redirecting port 80 to
3128(Squid)
For this purprose i use this ipfw test rules
ipfw add allow tcp from Outside Interface to any
ipfw add fwd 127.0.0.1,3128 tcp from any to any 80
ipfw add allow all from any to any
All is working good andthere is no problem
(vr0) (ed0)
(Local net) | |
------------| |-----------(Border Gateway)---(InternetCloud)
(Int intf) | | (Outside intf)
In writing my ipfw rules for denying incomming tcp connecion and some
other stuff, I use this rules and squid interception did not work anymore :
I really don't know what i have done wrong. If you know it, may you help me,
please.
Here are my rules:
#Standard rules
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 deny ip from Localnet/26 to any in recv ed0
00500 0 0 deny ip from externalnet/26 to any in recv vr0
00600 0 0 deny ip from any to 10.0.0.0/8 via ed0
00700 0 0 deny ip from any to 172.16.0.0/12 via ed0
00800 0 0 deny ip from any to 192.168.0.0/16 via ed0
00900 0 0 deny ip from any to 0.0.0.0/8 via ed0
01000 0 0 deny ip from any to 169.254.0.0/16 via ed0
01100 0 0 deny ip from any to 192.0.2.0/24 via ed0
01200 166 25172 allow ip from any to 224.0.0.0/4 via ed0
01300 62 11444 allow ip from any to 240.0.0.0/4 via ed0
01400 0 0 deny ip from 10.0.0.0/8 to any via ed0
01500 0 0 deny ip from 172.16.0.0/12 to any via ed0
01600 0 0 deny ip from 192.168.0.0/16 to any via ed0
01700 0 0 deny ip from 0.0.0.0/8 to any via ed0
01800 0 0 deny ip from 169.254.0.0/16 to any via ed0
01900 0 0 deny ip from 192.0.2.0/24 to any via ed0
02000 0 0 deny ip from 224.0.0.0/4 to any via ed0
02100 0 0 deny ip from 240.0.0.0/4 to any via ed0
#Main rules
02200 15323 8182114 allow tcp from any to any established
02300 0 0 allow tcp from any to any frag
02400 0 0 allow tcp from ed0_ip to any 80,443 setup
02450 145 7296 fwd 127.0.0.1,3128 tcp from any to any 80
02500 0 0 allow ospf from any to any
02600 0 0 allow udp from ed0_ip 520 to any
02700 0 0 allow udp from any to ed0_ip 520
02800 102 4896 deny log tcp from any to any in recv ed0 setup
02900 181 9024 allow tcp from any to any setup
03000 22 2960 allow udp from ed0_ip to any 53 keep-state
03100 188 23698 allow udp from Localnetwork to any 53 keep-state
65535 6894 811801 deny ip from any to any
Ps: Without the fowarding rule WWW work correctly.
Sewa
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org