IPFW confusion

[Ben Quick]

Hi Subhro,
 Thanks for your reply

The reason I want the server to route between the internal network and 
the router is because I only want to allow specific clients out onto the 
internet, and I can't see how to do this with the router I've got. Plus, 
it's a good excuse to try to learn something new :-)

You say it's expected that I can't ping. It's things like this that 
confuse me, due to lack of understanding on my part, I've allowed all 
traffic through. Of so I thought...

I've had a quick skim of the HOWTO, and it seems informative. But, it's 
still the IPFW rules that get me all confused

Ben

Subhro wrote:

>Hi Ben,
>
>First of all I must say you explained your requirements very well. Not many
>people can precisely say what they need. Bravo!
>
>Let's get to the point now. First of all I d don't find a good reason why
>you would like to introduce your system (192.168.0.10) (Lets call it server)
>to work as a router although you have a dedicated router. You can be well
>off adding routes in the D-Link and be off with it. If you really want to
>live with your current setup, then you must decide whether you want to go
>with NAT or with transparent proxy. With your current setup, it is perfectly
>all right that you can't ping any external hosts. I would recommend that you
>go with NAT guarded by ipfw at the server. But you may also go with
>transparent proxy as it has its own advantages. Refer to the following page:
>
>http://www.erudition.net/freebsd/NAT-HOWTO
>
>This has a really good tutorial on setting up NAT
>
>Regards
>Subhro
>
>Subhro Sankha Kar
>Indian Institute of Information Technology
>Block AQ-13/1, Sector V
>Salt Lake City
>PIN 700091
>India
>
>-----Original Message-----
>From: owner-freebsd-questions at freebsd.org
>[mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Ben Quick
>Sent: Wednesday, January 07, 2004 11:05 PM
>To: freebsd-questions at freebsd.org
>Subject: IPFW confusion
>
>Hello all,
> I've been hunting around for information on IPFW, and how to set up the
>rules I require. I found a tutorial that seemed to fit my needs:
>http://www.mostgraveconcern.com/freebsd/ipfw.html
>
>However, I can't get the config to work. I've commented out all the deny
>rules. In this instance, I can browse the web via SQUID that's installed
>on the IPFW box. I can't browse the web directly, though. That is the
>only external access I get. I can't ping any sites, DNS lookups fail
>(I've set the DNS servers on the client workstation to be that my ISP's.
>I also tried setting it to look at the IPFW box first, with no luck)
>
>Can anyone offer help on this one? I'm getting stuck in a muddle of
>mis-understanding
>
>My setup is as follows
>
>Internal LAN is 192.168.0.x
>IPFW machine has 2 NIC's:
>rl0: 192.168.0.10
>rl1: 172.16.200.10
>rl1 connects directly to my DSL router (D-Link 504) which has an
>internal IP of 172.16.200.1 along with it's public IP on the DSL port
>
>The ruleset I'd like is as follows
>
>For client IP's of 192.168.0.1 - 192.168.0.20 allow the following
>HTTP \ HTTPS - But not directly, force them to use SQUID (Listening on
>port 8080, and using squidGuard for content filtering)
>POP3 - But, only so far as pop.myisp.com
>IMAP - But, only so far as imap.myisp.com
>SMTP - But, only so far as smtp.myisp.com
>DNS lookups - But, only with ns1.myisp.com and ns2.myisp.com
>NNTP - But, only so far as news.myisp.com
>FTP - To anywhere
>
>For client IP's of 192.168.0.21 - 192.168.0.254 no access to anything
>external to the 192.168.0.x network should be granted
>
>I'd like the IPFW box and 192.168.0.1 to be able to SSH out to anywhere.
>
>I'd like to allow SSH inbound from a specific IP to be directed at the
>IPFW box (The port forwarding can be done with the DSL router) - SSH
>isn't currently listening on that interface, I'll get to that later :)
>
>Does this sound like a reasonable ruleset? Is anyone willing to help me
>generate it?
>
>Thanks
>Ben
>  
>