IPFilter og Squid Trans. proxy

From: Kenneth Karlsson (none@KAK--networkpeople.dk.lh.bsd-dk.dk)
Date: Sat 01 Feb 2003 - 13:40:07 CET

Next message: Mikkel \: "Re: IPFilter og Squid Trans. proxy"
Next in thread: Mikkel \: "Re: IPFilter og Squid Trans. proxy"
Reply: Mikkel \: "Re: IPFilter og Squid Trans. proxy"
Reply: Flemming Laugaard: "Re: IPFilter og Squid Trans. proxy"
Maybe reply: Kenneth Karlsson: "RE: IPFilter og Squid Trans. proxy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Subject: IPFilter og Squid Trans. proxy
Date: Sat, 1 Feb 2003 13:40:07 +0100
From: "Kenneth Karlsson" <none@KAK--networkpeople.dk.lh.bsd-dk.dk>
To: <none@bsd-dk--bsd-dk.dk.lh.bsd-dk.dk>

Jeg har sat en FreeBSD maskine op med IPFilter i kernen, og Squid som
transparent proxy.

Jeg bokser nu med at få lavet filter reglerne i IPFilter, selve NAT
delen virker, og brugerne bliver proxyet som de skal.

Nettet ser således ud:

   *** Internet
    |
    | 212.x.x.x
   *** RTR (Cybercity)
    | 10.10.10.1/24
    |
    | 10.10.10.2/24
   *** FreeBSD
    | 172.16.21.134/24
    |
*********** (LAN 172.16.21.0/24)

Dette er mine regler i /etc/ipnat.rules (fxp0 er extern, xl0 er intern):
-------------------------------

# INTERNAL REDIRECTION
rdr xl0 0.0.0.0/0 port 80 -> 172.16.21.134 port 3128

# EXTERNAL REDIRECTION
rdr fxp0 0.0.0.0/0 port 80 -> 172.16.21.2 port 80
rdr fxp0 0.0.0.0/0 port 21 -> 172.16.21.233 port 21

Og mine /etc/ipf.rules:
------------------------
# LO access
pass in quick on lo0 all
pass out quick on lo0 all

# SSH Access to localhost
pass in quick on fxp0 proto tcp from 213.237.34.160/32 to any port = 22
flags S keep state
pass in quick on xl0 proto tcp from any to 172.16.21.134/32 port = 22
flags S keep state

# ICMP access
pass in quick on xl0 proto icmp from any to 172.16.21.134/32 keep state
pass in quick on fxp0 proto icmp from any to any keep state

# WWW access
pass in quick proto tcp from any to any port = 80 flags S/SA keep state
keep frags
pass out quick proto tcp from any to any port = 80 flags S/SA keep state
keep frags
pass in proto tcp from any to any port = 3128 flags S keep state
pass out proto tcp from any to any port = 3128 flags S keep state

# DNS Access
pass in quick on xl0 proto udp from any to any port = 53 keep state

# SMTP access
pass in quick on xl0 proto tcp from 172.16.21.233/32 to any port = 25
flags S/SA keep state
pass in quick on fxp0 proto tcp from any to any port = 25 flags S/SA
keep state
pass out quick proto tcp from any to any port = 25 flags S/SA keep state

# FTP Access
#pass in quick on fxp0 from any to 172.16.21.233/32 port = 21

pass in all
pass out all
#block in all

Og det virker selvfølgelig lige nu, fordi de sidste 2 linier fanger alt
der ikke matcher en regel.

Mit problem er som sagt WWW adgangen, den tæller godt nok op på
filteret, men klienterne sidder bare fast og kan ikke komme ud på nettet
når jeg fjerne de 2 sidste linier.

Nogen gode ideer ?!

Kenneth Karlsson

Next message: Mikkel \: "Re: IPFilter og Squid Trans. proxy"
Next in thread: Mikkel \: "Re: IPFilter og Squid Trans. proxy"
Reply: Mikkel \: "Re: IPFilter og Squid Trans. proxy"
Reply: Flemming Laugaard: "Re: IPFilter og Squid Trans. proxy"
Maybe reply: Kenneth Karlsson: "RE: IPFilter og Squid Trans. proxy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:27 CET