natd and squid in jail

Igor Popov IgorPopov at NewMail.RU
Fri Apr 16 14:20:05 PDT 2004 

	Hi,
I have home network, that consits of two macines, the first one (freebsd) has 
dialup access to inet. Squid runs on freebsd to allow access to inet from my 
second machin. For sake of experiment I tried to run squid in jail. But it 
doesn't work with inet with ipfw and natd, but it works fine with ipfilter 
and ipnat and OpenBSD's pf.
There are my ipfw rules:
 
fwcmd="/sbin/ipfw -q"

# Force a flushing of the current rules before we reload.
$fwcmd -f flush

#automated anti-spoofing
$fwcmd add deny log ip from any to any not verrevpath in recv ng0

#natd
$fwcmd add divert natd all from any to any via ng0

# Allow all localhost connections
$fwcmd add allow all from any to any via lo0
$fwcmd add deny  log all from any to 127.0.0.0/8
$fwcmd add deny  log all from 127.0.0.0/8 to any

# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
# See ipfw(8) for details.
$fwcmd add check-state
$fwcmd add deny  tcp from any to any established

# Allow all connections from my network card that I initiate
$fwcmd add allow tcp from me to any out xmit any setup keep-state
$fwcmd add deny  tcp from me to any
$fwcmd add allow ip  from me to any out xmit any keep-state

# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to me 113 in recv any

# Enable ICMP
$fwcmd add deny  log icmp from any to me icmptypes 8,13
$fwcmd add allow icmp from me to any keep-state

#enable access for squid via localnet
$fwcmd add allow tcp from 192.168.1.0/24 to me dst-port 3128 in recv rl0 setup 
keep-state

# Enable IPSec
$fwcmd add allow log udp from any to me src-port isakmp dst-port isakmp via 
rl0 keep-state
$fwcmd add allow esp from any to any via rl0
$fwcmd add allow ah  from any to any via rl0

# Deny all the rest.
$fwcmd add deny log ip from any to any


rl0: 192.168.1.1 mask 0xffffff00, 192.168.1.2 mask 0xffffff80
when I do `ipfw -d show` or `tcpdump - ng0`, I see that squid begins 
connection and there is a respond, but it can't achieve to squid.


-- 
Ten years of rejection slips is nature's way of telling you to stop
writing.
		-- R. Geis

More information about the freebsd-ipfw mailing list