[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Squid redirection and firewall



Hi,

I'm running FreeBSD  box as router. This router is linking our local
network  to DMZ and it's also working as a firewall. Its main goal
is to deny TCP  connection the outside to the inside.

On this machine i'm also running squid doing interception for all www
coming from the local network and www redirection coming from the
border gateway.

 For Interception i'm doing a forwarding rule redirecting port 80 to
3128(Squid)

 For this purprose i use this ipfw test rules


ipfw add  allow tcp from Outside Interface to any
ipfw add  fwd 127.0.0.1,3128 tcp from any to any 80
ipfw add  allow all from any to any

 All is working good andthere is no problem


            (vr0)     (ed0)
 (Local net) |        |
 ------------|        |-----------(Border Gateway)---(InternetCloud)
 (Int intf)  |        | (Outside intf)



 In writing my ipfw rules for denying  incomming tcp connecion and some
other stuff, I use this rules and squid interception did not work anymore :
I really don't know what i have done wrong. If you know it, may you help me,
please.

 Here are my rules:

 #Standard rules
 00100     0       0 allow ip from any to any via lo0
 00200     0       0 deny ip from any to 127.0.0.0/8
 00300     0       0 deny ip from 127.0.0.0/8 to any
 00400     0       0 deny ip from Localnet/26 to any in recv ed0
 00500     0       0 deny ip from externalnet/26 to any in recv vr0
 00600     0       0 deny ip from any to 10.0.0.0/8 via ed0
 00700     0       0 deny ip from any to 172.16.0.0/12 via ed0
 00800     0       0 deny ip from any to 192.168.0.0/16 via ed0
 00900     0       0 deny ip from any to 0.0.0.0/8 via ed0
 01000     0       0 deny ip from any to 169.254.0.0/16 via ed0
 01100     0       0 deny ip from any to 192.0.2.0/24 via ed0
 01200   166   25172 allow ip from any to 224.0.0.0/4 via ed0
 01300    62   11444 allow ip from any to 240.0.0.0/4 via ed0
 01400     0       0 deny ip from 10.0.0.0/8 to any via ed0
 01500     0       0 deny ip from 172.16.0.0/12 to any via ed0
 01600     0       0 deny ip from 192.168.0.0/16 to any via ed0
 01700     0       0 deny ip from 0.0.0.0/8 to any via ed0
 01800     0       0 deny ip from 169.254.0.0/16 to any via ed0
 01900     0       0 deny ip from 192.0.2.0/24 to any via ed0
 02000     0       0 deny ip from 224.0.0.0/4 to any via ed0
 02100     0       0 deny ip from 240.0.0.0/4 to any via ed0

 #Main rules
 02200 15323 8182114 allow tcp from any to any established
 02300     0       0 allow tcp from any to any frag
 02400     0       0 allow tcp from ed0_ip to any 80,443 setup
 02450   145    7296 fwd 127.0.0.1,3128 tcp from any to any 80
 02500     0       0 allow ospf from any to any
 02600     0       0 allow udp from ed0_ip 520 to any
 02700     0       0 allow udp from any to ed0_ip 520
 02800   102    4896 deny log tcp from any to any in recv ed0 setup
 02900   181    9024 allow tcp from any to any setup
 03000    22    2960 allow udp from ed0_ip to any 53 keep-state
 03100   188   23698 allow udp from Localnetwork to any 53 keep-state
 65535  6894  811801 deny ip from any to any

 Ps: Without the fowarding rule WWW work correctly.

 Sewa


-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org