[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Squid redirection and firewall

To: Sewa AGBODJAN <sewa at cafe.tg>
Subject: Re: Squid redirection and firewall
From: Noah K Sematimba <ksemat at wawa.eahd.or.ug>
Date: Tue, 18 Jun 2002 15:20:56 +0300 (EAT)
Cc: afnog at afnog.org
Content-Type: TEXT/PLAIN; charset=US-ASCII
Delivered-To: afnog-archive at lists.eahd.or.ug
Delivered-To: afnog-outgoing at afnog.org
Delivered-To: afnog at afnog.org
In-Reply-To: <5018630698.20020617123650 at cafe.tg>
Sender: owner-afnog at afnog.org


The best thing here is to apply your rules one by one manually until the
point at which the redirection ceases to work. You will then know which
particular rule is giving you a problem.
However since you say that www works correctly without the forwarding rule
then my best guess is with this rule:

>  00300     0       0 deny ip from 127.0.0.0/8 to any

yet on the other hand you put:

>  02450   145    7296 fwd 127.0.0.1,3128 tcp from any to any 80

Now the problem may be with the order of the rules. Try putting the fwd
rule before the deny rule and see what happens.

Noah.



On Mon, 17 Jun 2002, Sewa AGBODJAN wrote:

> Hi,
>
> I'm running FreeBSD  box as router. This router is linking our local
> network  to DMZ and it's also working as a firewall. Its main goal
> is to deny TCP  connection the outside to the inside.
>
> On this machine i'm also running squid doing interception for all www
> coming from the local network and www redirection coming from the
> border gateway.
>
>  For Interception i'm doing a forwarding rule redirecting port 80 to
> 3128(Squid)
>
>  For this purprose i use this ipfw test rules
>
>
> ipfw add  allow tcp from Outside Interface to any
> ipfw add  fwd 127.0.0.1,3128 tcp from any to any 80
> ipfw add  allow all from any to any
>
>  All is working good andthere is no problem
>
>
>             (vr0)     (ed0)
>  (Local net) |        |
>  ------------|        |-----------(Border Gateway)---(InternetCloud)
>  (Int intf)  |        | (Outside intf)
>
>
>
>  In writing my ipfw rules for denying  incomming tcp connecion and some
> other stuff, I use this rules and squid interception did not work anymore :
> I really don't know what i have done wrong. If you know it, may you help me,
> please.
>
>  Here are my rules:
>
>  #Standard rules
>  00100     0       0 allow ip from any to any via lo0
>  00200     0       0 deny ip from any to 127.0.0.0/8
>  00400     0       0 deny ip from Localnet/26 to any in recv ed0
>  00500     0       0 deny ip from externalnet/26 to any in recv vr0
>  00600     0       0 deny ip from any to 10.0.0.0/8 via ed0
>  00700     0       0 deny ip from any to 172.16.0.0/12 via ed0
>  00800     0       0 deny ip from any to 192.168.0.0/16 via ed0
>  00900     0       0 deny ip from any to 0.0.0.0/8 via ed0
>  01000     0       0 deny ip from any to 169.254.0.0/16 via ed0
>  01100     0       0 deny ip from any to 192.0.2.0/24 via ed0
>  01200   166   25172 allow ip from any to 224.0.0.0/4 via ed0
>  01300    62   11444 allow ip from any to 240.0.0.0/4 via ed0
>  01400     0       0 deny ip from 10.0.0.0/8 to any via ed0
>  01500     0       0 deny ip from 172.16.0.0/12 to any via ed0
>  01600     0       0 deny ip from 192.168.0.0/16 to any via ed0
>  01700     0       0 deny ip from 0.0.0.0/8 to any via ed0
>  01800     0       0 deny ip from 169.254.0.0/16 to any via ed0
>  01900     0       0 deny ip from 192.0.2.0/24 to any via ed0
>  02000     0       0 deny ip from 224.0.0.0/4 to any via ed0
>  02100     0       0 deny ip from 240.0.0.0/4 to any via ed0
>
>  #Main rules
>  02200 15323 8182114 allow tcp from any to any established
>  02300     0       0 allow tcp from any to any frag
>  02400     0       0 allow tcp from ed0_ip to any 80,443 setup
>  02500     0       0 allow ospf from any to any
>  02600     0       0 allow udp from ed0_ip 520 to any
>  02700     0       0 allow udp from any to ed0_ip 520
>  02800   102    4896 deny log tcp from any to any in recv ed0 setup
>  02900   181    9024 allow tcp from any to any setup
>  03000    22    2960 allow udp from ed0_ip to any 53 keep-state
>  03100   188   23698 allow udp from Localnetwork to any 53 keep-state
>  65535  6894  811801 deny ip from any to any
>
>  Ps: Without the fowarding rule WWW work correctly.
>
>  Sewa
>
>
> -----
> This is the afnog mailing list, managed by Majordomo 1.94.5
>
> To send a message to this list, e-mail afnog at afnog.org
> To send a request to majordomo, e-mail majordomo at afnog.org and put
> your request in the body of the message (i.e use "help" for help)
>
> This list is maintained by owner-afnog at afnog.org
>
>


-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org

References:
- Squid redirection and firewall
  - From: Sewa AGBODJAN <sewa at cafe.tg>

Prev by Date: Re: Afnog - 2002 Lome report?
Next by Date: Power management with FreeBSD Box
Prev by thread: Squid redirection and firewall
Next by thread: Power management with FreeBSD Box
Index(es):
- Date
- Thread