FreeBSD Firewall as a Transparent Proxy?

whizkid at ValueDJ.com whizkid at ValueDJ.com
Sat Mar 27 03:10:12 PST 2004 

I have seen lots of pages on google on how to setup Squid as a Transparent
Proxy server on FreeBSD.  However most of these refer to 4.9 stable, using
IPTables.  I am currently using natd and ipfw.  Here are my Firewall rules

rc.firewall.rules

proxy# cat rc.firewall.rules
# be quiet and flush all rules on start
-q flush

# allow local traffic, deny RFC 1918 addresses on the outside
add 00100 allow ip from any to any via lo0
add 00110 deny ip from any to 127.0.0.0/8
add 00120 deny ip from any to any not verrevpath in
add 00301 deny ip from 10.0.0.0/8 to any in via fxp0
add 00302 deny ip from 172.16.0.0/12 to any in via fxp0
add 00303 deny ip from 192.168.0.0/16 to any in via fxp0

# check if incoming packets belong to a natted session, allow through if yes
add 01000 divert natd ip from any to me in via fxp0
add 01001 check-state

# allow some traffic from the local net to the router
# SSH
add 04000 allow tcp from any to me dst-port 22 setup keep-state
# ICMP
add 04001 allow icmp from 192.168.1.0/24 to me in via xl0
# NTP
add 04002 allow tcp from 192.168.1.0/24 to me dst-port 123 in via xl0
setup keep-state
add 04003 allow udp from 192.168.1.0/24 to me dst-port 123 in via xl0
keep-state
# DNS
add 04006 allow udp from 192.168.1.0/24 to me dst-port 53 in via xl0

# drop everything else
add 04009 deny ip from 192.168.1.0/24 to me

# pass outgoing packets (to be natted) on to a special NAT rule
add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via xl0 keep-state

# allow all outgoing traffic from the router (maybe you should be more
restrictive)
add 05010 allow ip from me to any out keep-state

# drop everything that has come so far. This means it doesn't belong to an
# established connection, don't log the most noisy scans.
add 59998 deny icmp from any to me
add 59999 deny ip from any to me dst-port 135,137-139,445,4665
add 60000 deny log tcp from any to any established
add 60000 deny log ip from any to any

# this is the NAT rule. Only outgoing packets from the local net will come
here.
# First, nat them, then pass them on (again, you may choose to be more
restrictive)
add 61000 divert natd ip from 192.168.1.0/24 to any out via fxp0
add 61001 allow ip from any to any


natd.conf

proxy# cat natd.conf
unregistered_only
interface fxp0
use_sockets
dynamic
# dyamically open fw for ftp, irc
punch_fw 2000:50

proxy# uname -a
FreeBSD proxy.valuedj.com 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0: Fri Mar
26 19:14:17 PST 2004    
whizkid at proxy.valuedj.com:/usr/obj/usr/src/sys/MYKERNEL  i386



how would I set it so all incoming packets from xl0 would get redirected
to port 8080 for the proxy server.  I want to setup DansGuardian for
content filtering and I don't want the people who will be using my network
to find a way around disabling the Proxy in the browser.

Anyone have any ideas?

Thanks for your help

More information about the freebsd-questions mailing list