Which one best suits my requirements

Amanat

Member


Messages: 36

i wana install firewall on my freebsd Gateway Server, with transparent squid.

I want to block MAC, IP , Transparent squid, COS, QOS, Bandwidth shaping, Block P2P, Squidguard or dansguardian.

I wana opt for PF, with ALTQ

Which one would u suggest with all the above functionalities.

either pf or IPFW?

PLz be precise.

Warm Regards!
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,147
Messages: 39,756

Blocking MAC addresses is useless. It's also not possible with either firewall. Not easily anyway.
 

aragon

Daemon

Reaction score: 282
Messages: 2,029

ipfw can match on MAC address. Read ipfw(8).

But you can use ipfw and pf together too... as well as do MAC address filtering in squid itself.
 
OP
A

Amanat

Member


Messages: 36

SirDice said:
Blocking MAC addresses is useless. It's also not possible with either firewall. Not easily anyway.

using tables in pf, it seams possible.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 3,237
Messages: 11,441

Do you have a bridged network then? Then again: MAC address spoofing is easy as pie.
 

phoenix

Administrator
Staff member
Administrator
Moderator

Reaction score: 1,293
Messages: 4,099

SirDice said:
Blocking MAC addresses is useless. It's also not possible with either firewall. Not easily anyway.

It's actually fairly easy to do with IPFW, but the syntax is a little hard on the eyes. IP adresses are listed "from source to dest" but MAC is listed "dest src".

Code:
# MAC addresses to block
# These only take effect if sysctl net.link.ether.ipfw=1
BAD_MACS_F=" { MAC any 00:1E:68:C7:B7:AF or MAC any 00:11:24:3E:FA:86 }"
BAD_MACS_R=" { MAC 00:1E:68:C7:B7:AF any or MAC 00:11:24:3E:FA:86 any }"


# Block Internet access by MAC address
# Allow ARP traffic                   
$IPFW add 4 allow ip from any to any layer2 mac-type arp

# Block ethernet traffic from specific MAC addresses (note: MACs are listed in "dest src" order)
$IPFW add 5 deny ip from any to any $BAD_MACS_F in recv $PRIVATE                                

# Block ethernet traffic to specific MAC addresses (note: MACs are listed in "dest src" order)
$IPFW add 6 deny ip from any to any $BAD_MACS_R out xmit $PRIVATE                             

# Allow ethernet traffic
$IPFW add 7 allow ip from any to any MAC any any
 
OP
A

Amanat

Member


Messages: 36

DutchDaemon said:
Do you have a bridged network then? Then again: MAC address spoofing is easy as pie.
Yes I am doing natting for my large network, suing single public ip.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,147
Messages: 39,756

Amanat said:
Yes I am doing natting for my large network, suing single public ip.

NAT != bridge
 
OP
A

Amanat

Member


Messages: 36

Yes Dear NAT != bridge, Sorry. i am using nat

By this technique we can allow list of clients which are allowed,

Code:
client_out = "{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http,https, 446, cvspserver, 2628, 5999, 8000, 8080 }"

Code:
table <clients> persist file "/etc/clients"
pass inet proto tcp from <clients> to any port $client_out \
         flags S/SA keep state

but i cant use this, because i have more then thousand clients.
now doing its opposite

1.
Code:
table <clients> persist file "/etc/clients"
block inet proto tcp from <clients> to any port $client_out

2.
Code:
table <clients> persist file "/etc/clients"
block inet proto tcp from <clients> to any port $client_out \
         flags S/SA keep state
or
3.
Code:
table <clients> persist file "/etc/clients"
block drop in quick on $int_if from <clients> to any

which one is best, any good combination of all three ???

will it work for putting all MAC's in a file e.g "/etc/blocked-mac-add"

where "/etc/blocked-mac-add" contains MAC address

e.g
Code:
1A:2B:3D:4D:5D:6D
1A:2B:3D:4D:5D:7D

Any Suggestions and ideas!
 
OP
A

Amanat

Member


Messages: 36

After googling, i came to know bridge will be the solution.

Does IPFW had tabling technique, because i didn't found.
 
OP
A

Amanat

Member


Messages: 36

It was very nice, i read serveral tutorials and howtos for pf, for the time being i prefer pf and for bridge i m confused.

pf support reading from files, while ipfw doesnt.

ipfw allow mac filtering but pf doesnt.

bridge with pf is new for me as long as i am not much familiar with pf.

i wana say that what will be the combination?

as i put these two in /etc/rc.conf
Code:
squid_enable=”YES”
pf_enable=”YES”

then use [cmd=]kldload pf[/cmd]

then use [cmd=]pfctl -e[/cmd]

insert some rules in pf.conf

e.g
Code:
rdr on rl0 proto tcp from 172.21.0.0/24 to !172.21.0.0/24 port 80  -> 127.0.0.1    port 3129

and transparent squid start working

did i need nat in combination with the above command, as above line is working i think, its of no need, what u ppl say.

as i am using both.

Code:
# NAT for Local Area Network (LAN)
nat on xl0 inet from rl0 to any -> xl0

both are necessary or not?

if not how can i add bridge, if bridge, i have to remove nat or not?

Regards!
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 3,237
Messages: 11,441

If you allow no traffic out, except (non-SSL) web traffic, you won't need NAT. Squid will listen on 127.0.0.1 and use the external connection to get web pages from the Internet. You don't even need IP-forwarding in that scenario. If you want to allow https as well (which cannot be proxied transparently), you'll need NAT and IP-forwarding. If you want to allow any other non-http traffic, you'll need NAT and IP-forwarding.

Except for NAT, the same goes for a bridge setup, which does need a special route-to statement to allow transparent proxying (it's on the forums somewhere).

Tip: get a grasp of these concepts before you start asking more questions. It's very difficult to explain stuff that presupposes some fundamental knowledge of routing. There's tons of docs out there, and you can't rely on these forums for your entire education, and nobody wants to read and troubleshoot every config option and each pf.conf version you use ...
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 3,237
Messages: 11,441

Why don't you just try it out? We can't (and won't) decide for you every step of the way..
 
OP
A

Amanat

Member


Messages: 36

DutchDaemon said:
If you allow no traffic out, except (non-SSL) web traffic, you won't need NAT. Squid will listen on 127.0.0.1 and use the external connection to get web pages from the Internet. You don't even need IP-forwarding in that scenario. If you want to allow https as well (which cannot be proxied transparently), you'll need NAT and IP-forwarding. If you want to allow any other non-http traffic, you'll need NAT and IP-forwarding.

Except for NAT, the same goes for a bridge setup, which does need a special route-to statement to allow transparent proxying (it's on the forums somewhere).

Tip: get a grasp of these concepts before you start asking more questions. It's very difficult to explain stuff that presupposes some fundamental knowledge of routing. There's tons of docs out there, and you can't rely on these forums for your entire education, and nobody wants to read and troubleshoot every config option and each pf.conf version you use ...

Sir,
Using squid arp acl i am blocking MAc address and using pf i am using NAT and Transparent proxy.

I have completed setting up my freebsd transparent proxy server with squid+ delay pool + pf + NAT.

The thing left is bandwith shaping, using delay pools in squid i can control download rate but i cannot manage upload. i wana manage it using pf ALTQ HSFC. if possible as i found the tutorial. the link i alreay mentioned, again it is http://www.tutorialized.com/view/tutorial/FreeBSD-Router-with-Traffic-Shaping-with-PF-and-ALTQ-HFSC/36101
I need ur expert opinion on this tutorial.

Regards!
 
OP
A

Amanat

Member


Messages: 36

DutchDaemon said:
Why don't you just try it out? We can't (and won't) decide for you every step of the way..

With apologies sir, i just wanted
Code:
comments
from anybody.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 3,237
Messages: 11,441

You got them. The experimenting and deciding is up to you.
 
OP
A

Amanat

Member


Messages: 36

Sure Sir, I will be postingmy firewall when i finish, so that you ppl may just have a look and suggest changes, if required, i am a newbie, to pf, and there must be improvements, as improvement window/door is always open.

Let me complete.
 

phoenix

Administrator
Staff member
Administrator
Moderator

Reaction score: 1,293
Messages: 4,099

Amanat said:
pf support reading from files, while ipfw doesnt.

Not true. IFPW is just a command, like any other. Which means, you can wrap it up in a shell script, and do anything you want.

You can make things as simple as you want (just put everything into one file, like /etc/rc.firewall does it). Or as complex as you want (my firewalls have multiple scripts with a separate configuration file and a tables file).

IOW, if you want to put a list of IPs into a separate text file, then have IPFW use that to generate block rules, you can.
 
OP
A

Amanat

Member


Messages: 36

why the traffic is going out default queue

i am posting my firewall, all the traffic is going inside and out using default queue.

Am i doing something wrong

Code:
 # Macros
 # Interfaces
 ext_if = "xl0"
 int_if = "rl0"

 # IP address
 bsd = "10.0.0.12/32"
 ext_ip = "111.111.111.112/32"
 pc1    = "10.0.47.48"
 pc2    = "10.0.47.50"
 extnet = "111.111.111.0/27"
 lannet ="10.0.0.0/8"

   # Normalization
   # Define a policy for blocking packets
   set block-policy drop

   # The behavior of the packet filter using the state table
   set state-policy floating

   # Log interface
   set loginterface $ext_if

   # Set the type of optimization
   set optimization normal

   # Ignore filtration on the ring interface
   set skip on lo0

   # Normalization of all inbound traffic on all interfaces
   scrub in all

# Queueing

altq on $ext_if hfsc bandwidth 10Mb queue {pc1_up, pc2_up, \ def_up}
altq on $int_if hfsc bandwidth 10Mb queue {pc1_down, pc2_down, \ def_down}

queue pc1_up bandwidth 2Mb priority 6  hfsc(realtime 1Mb \ linkshare 50% upperlimit 2Mb)
queue pc1_down bandwidth 2Mb priority 6 hfsc(realtime 1Mb \ linkshare 50% upperlimit 2Mb)

queue pc2_up bandwidth 2Mb priority 5 hfsc(realtime 1Mb \ linkshare 40% upperlimit 2Mb)
queue pc2_down bandwidth 2Mb priority 5 hfsc(realtime 1Mb \ linkshare 40% upperlimit 2Mb)

queue def_up bandwidth 128Kb priority 0 hfsc(realtime 128Kb \ linkshare 10% upperlimit 256Kb default)
queue def_down bandwidth 128Kb priority 0 hfsc(realtime 128Kb \ linkshare 10% upperlimit 256Kb default)


# NAT & RDR
# NAT for Local Area Network (LAN)
  nat on $ext_if inet from $lannet to any -> $ext_ip

# Send the local Internet users in the squid.
rdr on $int_if proto tcp from $lannet to any port www -> \ 127.0.0.1 port 3128

# Filter rules

# Lock all
block log all

# Allow icmp
pass inet proto icmp icmp-type echoreq

# Allow DNS to lan net
pass in on $int_if proto udp from $lannet to $bsd port domain

# Allow SSH to internal and external
pass in on $int_if proto tcp from $lannet to $bsd port ssh
pass in on $ext_if proto tcp from any to $ext_if port ssh

 # Test the full output for debugging
 pass in on $int_if from $lannet to any

# .. Pass rules, Shaping for PC1
pass in quick on $ext_if from any to $pc1
pass out quick on $int_if from any to $pc1 queue pc1_down

pass in quick on $int_if from $pc1 to any
pass out quick on $ext_if from $pc1 to any queue pc1_up

# .. Pass rules, Shaping for PC2
pass in quick on $ext_if from any to $pc2
pass out quick on $int_if from any to $pc2 queue pc2_down

pass in quick on $int_if from $pc2 to any
pass out quick on $ext_if from $pc2 to any queue pc2_up

 # Allow the gateway to our full output from both interfaces
pass out on $ext_if proto tcp from any to any
pass out on $ext_if proto udp from any to any keep state
pass out on $int_if proto tcp from any to any
pass out on $int_if proto udp from any to any keep state


All of my network traffic including pc1, pc2 and lannet is going through default queue.

Plz correct me where i am doing mistake.
 
Top