Configuring ipfw on OS X

[ghostpaladin]

Good day everyone. My problem is the next

I have an macbook pro with os x 10.5.8 with squid and ipfw running as a proxy.

In my company I don't want people to connect to facebook neither twitter.

My squid configuration is running correctly, my only problem is configuring the ipfw to force users to use port 8080. my ipfw conf is:

Code:

00010 divert 8668 ip from any to any via en0
00100 allow ip from any to any via lo*
01010 allow ip from 10.0.2.0/24 to me dst-port 8080
01011 allow ip from me to any
65535 allow ip from any to any

being en0 my internet connection and en1 my airport shared connection

The problem is that user still can connect to internet without configuring their proxies. what am I doing wrong?

[freejazz-man]

The rule seems to allow anything to you on 8080

given there isn't an implicit deny-all after it, you aren't actually blocking anything

firewall rules are supposed to end with a deny-all so that the only allowances are those that you specified, but you end your ruleset with an allow any any, which will allow port 80 traffic through your firewall. You also might want to consider https traffic which runs of 443.

So your solution is to either specifically deny port 80 (and 443) traffic, or to put in a 'deny-all'

if you go the 'deny-all' route, you are going to have to make a lot of other outbound rules as well.

[ghostpaladin]

I tried this:

Code:

sudo ipfw add 65534 deny ip from any to any

but it doesn't let me navigate, even configuring browser to use port 8080.
any ideas?

[freejazz-man]

ok so I did some googling and it seems ipfw already has the implicit deny-all:

"When a packet enters the firewall it is compared against the first rule in the ruleset and progresses one rule at a time moving from top to bottom of the set in ascending rule number sequence order. When the packet matches the selection parameters of a rule, the rules' action field value is executed and the search of the ruleset terminates for that packet. This is referred to as “the first match wins” search method. If the packet does not match any of the rules, it gets caught by the mandatory IPFW default rule, number 65535 which denies all packets and discards them without any reply back to the originating destination."

It looks like you might've originally written over that rule because you used rule #65535 to make an allow all. But upon further review I think I might have found the culprit:

"00010 divert 8668 ip from any to any via en0"

I think this might be the problem - every bit of traffic is going to hit it as long as it is IP and from any to any

you might want to try from en1 to en0 or something more specific

[Bear]

Quote:

Originally Posted by ghostpaladin

...
The problem is that user still can connect to internet without configuring their proxies. what am I doing wrong?

What you're probably doing wrong is that your network setup is probably not forcing people to go through the proxy system. You would need your networking gear configured to block all web access except for what is going through the proxy server.

And you need to figure out was else you want blocked and what people need to be allowed access to.

Of course without a rough network diagram and such, it's hard to troubleshoot the issue.

You might be better off hiring a networking consultant for a few hours to have thing set up the way you want.

[blueroom]

Get a router that supports IP blocking. Why on earth are you doing this on your Mac?

[freejazz-man]

Quote:

Originally Posted by Bear

What you're probably doing wrong is that your network setup is probably not forcing people to go through the proxy system. You would need your networking gear configured to block all web access except for what is going through the proxy server.

that's what he is trying to do with ipfw - that's what we've been trying to troubleshoot

[Bear]

Quote:

Originally Posted by freejazz-man

that's what he is trying to do with ipfw - that's what we've been trying to troubleshoot

That doesn't work unless all internet traffic goes through the Mac.

It sounds like he's only expecting web traffic to route through the Mac. Or at least that the setup allows the local machines to connect to the internet.

[ElectricSheep]

Assuming that your machine is acting as the gateway for your office with en0 being the WAN interface and en1 being the LAN interface, you need to add a forwarding rule to ipfw:

fwd 127.0.0.1,8080 from 10.0.2.0/24 to any dst-port 80

[ghostpaladin]

Quote:

Originally Posted by blueroom

Get a router that supports IP blocking. Why on earth are you doing this on your Mac?

Because something is wrong with the video card in this macbook.
I prefer give it a better use than throw it =)

[ghostpaladin]

Quote:

Originally Posted by Bear

That doesn't work unless all internet traffic goes through the Mac.

It sounds like he's only expecting web traffic to route through the Mac. Or at least that the setup allows the local machines to connect to the internet.

That is exactly the situation, my friend...
http://www.flickr.com/photos/92528398@N07/8410290120/

----------

[/COLOR]

Quote:

Originally Posted by ElectricSheep

Assuming that your machine is acting as the gateway for your office with en0 being the WAN interface and en1 being the LAN interface, you need to add a forwarding rule to ipfw:

fwd 127.0.0.1,8080 from 10.0.2.0/24 to any dst-port 80

But that is to do a transparent proxy isn't it?.

I can't use a transparent proxy right now

[freejazz-man]

Ok - I'm positive you aren't using the divert rule appropriately.

http://unix.stackexchange.com/questi...ve-to-ipfw-fwd

from the link:

"No, you can't. divert can be used only with software that listens on sockets created with IPPROTO_IPDIVERT, but proxy servers usually listen on TCP ports."

Does your version of ipfw allow for a forwarding rule? That might be more appropriate

[ElectricSheep]

Quote:

Originally Posted by ghostpaladin

That is exactly the situation, my friend...
http://www.flickr.com/photos/92528398@N07/8410290120/

----------

[/COLOR]

But that is to do a transparent proxy isn't it?.

I can't use a transparent proxy right now

Well, if your aim is to simply block all traffic that I suggest to do what freejazz-man suggested and block all traffic destined for the outside world to ports 80 and 443:

deny tcp from 10.0.2.0/24 to any dst-port 80 via en1
deny tcp from 10.0.2.0/24 to any dst-port 443 via en1

Coupled with your allow on port 8080, users will be forced to configure their proxies.

Quote:

Ok - I'm positive you aren't using the divert rule appropriately.

The divert rule is for NAT. Port 8668 is commonly chosen for natd to listen on.

[freejazz-man]

right - and seeing as he hasn't configured natd to forward the packets via the path outlined in his firewall rules - it's not going to work

[ghostpaladin]

ok. I deleted the divert rule and modified my ruleset as follows:

Code:

00100 allow ip from any to any via lo*
00110 allow ip from 10.0.2.0/24 to me dst-port 8080
00130 allow tcp from any to any out keep-state
00140 allow udp from any to any out keep-state
00150 allow tcp from any to any dst-port 22
00160 allow udp from any to any dst-port 67
00170 allow udp from any to any dst-port 68
01010 allow tcp from any to me dst-port 80 in
01011 allow tcp from any 80 to any out
01012 allow tcp from me to any dst-port 80 out
65534 deny log logamount 1000 ip from any to any in
65535 allow ip from any to any

I'm aware that some rules are not necessary but as far the proxy works exactly as I want.
My only last problem is this: which port do I need to open for my LAN can send and receive mails in microsoft outlook? anybody knows?

----------

Quote:

Originally Posted by ElectricSheep

Well, if your aim is to simply block all traffic that I suggest to do what freejazz-man suggested and block all traffic destined for the outside world to ports 80 and 443:

deny tcp from 10.0.2.0/24 to any dst-port 80 via en1
deny tcp from 10.0.2.0/24 to any dst-port 443 via en1

Coupled with your allow on port 8080, users will be forced to configure their proxies.



The divert rule is for NAT. Port 8668 is commonly chosen for natd to listen on.

Ok. electricSheep. thank you. I will try ths rules after my allow on port 8080 to see how it works

[freejazz-man]

it depends on the protocols being used, pop or imap.

is your setup actually blocking attempts out to the web that don't go through the proxy?

[ghostpaladin]

Quote:

Originally Posted by freejazz-man

it depends on the protocols being used, pop or imap.

is your setup actually blocking attempts out to the web that don't go through the proxy?

Yes, actually I'm denying all web connections except connection throw port 8080 but since miscrosoft outlook cannot be configured to work with proxies I've decided to open just the ports necessary to work with it but I'm not sure which ports should I open and which sintax use for achieve that

[freejazz-man]

you are denying all connections except for port 8080

if you want me to take the time and write out a ruleset that I'm positive will work (and take the time to help you if it doesn't) you can pm me

otherwise good luck at this point