Please convert the equivalent of these rules into IPFW
Tony
rigstars at gmail.com
Thu Sep 9 13:49:13 UTC 2010
I tried converting those iptables rules myself. How do they look?
#Allow Squid outbound access on port 8883 (Dansguardian)
ipfw add allow tcp from 192.168.0.154 to any dst-port 8883 out uid squid
#Allow Squid outbound access on port 80
ipfw add allow tcp from 192.168.0.154 to any dst-port 80 out uid squid
#Redirect all requests on port 80 to 8883 (Dansguardian)
ipfw add fwd 127.0.0.1,8883 tcp from not me to any dst-port 80
# Accept requests on port 3333 from nobody (Dansguardian user)
ipfw add allow tcp from 192.168.0.154 to any dst-port 3333 out uid nobody
//this is to allow clients on same machine to go from
browser->dansguardian->squid->internet
//both services are running on the local loopback ip address
On Thu, Sep 9, 2010 at 9:00 AM, Tony <rigstars at gmail.com> wrote:
> Can some please convert these iptable rules in IPFW
>
> #Allow Squid outbound access on port 8080 (Dansguardian)
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 8080 -m owner
> --uid-owner squid -j ACCEPT
>
> # Allow Squid outbound access on port 80
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner
> squid -j ACCEPT
>
> # Don't redirect root on port 80
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner
> root -j ACCEPT
>
> # Don't redirect root on port 3128 (Squid)
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner
> --uid-owner root -j ACCEPT
>
> # Redirect all requests on port 80 to 8080 (Dansguardian)
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT
> --to-ports 8080
>
> # Accept requests on port 3128 from nobody (Dansguardian user)
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner
> --uid-owner nobody -j ACCEPT
>
> # Redirect all other requests on port 3128 to 8080 to prevent users from
> getting around Dansguardian by going directly to Squid
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT
> --to-ports 8080
>
> # Delete the NOTRACK rule that SuSEfirewall2 adds to the raw table of
> the OUTPUT chain
> iptables -t raw -D OUTPUT -o lo -j NOTRACK
>
>
More information about the freebsd-ipfw
mailing list