proxy w/ firewall?

[Brian Minard]

Hello,

I'm trying to set up firewall rules for a work station attached to
a gateway.  The gateway is running ipfw2 and natd.  I'd like to
develop rules for the work station requests which achieve the
following.

  a. have work station requests for http/smtp/pop3 go through the
  gateway over ppp0.  The interface between the work station and
  the gateway is xl0.

  b. limit the source of requests for of each of these protocols
  to only the work stations and the destination to my ISP's mail
  relays (in the case of smtp and pop3).

The problem is that the work station requests only seem to get
through the firewall with very generic rules:

  ipfw allow tcp from any to any http keep-state
  ipfw allow tcp from any to 1.2.3.4/24{1,2} smtp keep-state
  ipfw allow tcp from any to 1.2.3.4/24{1,2} pop3 keep-state

I've a couple of questions about this:

  1. am I improving the security if I change the rules to
  something like:

    ipfw allow log tcp from me to any http keep-state via ppp0
    ipfw allow log tcp \
      from 2.3.4.5/24 to me http keep-state via xl0

  2. do I need to run a proxy server to get the rules in question 
  (1) to work, or is there some magic I can work using only the
  firewall?

Thanks,
Brian
-- 
Brian Minard
bminard at flatfoot.ca