Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 06 Jul 2007 17:20:50 +0100
From:      Daniel Bye <dan@slightlystrange.org>
To:        Zbigniew Szalbot <zbigniew@szalbot.homedns.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: parental control with squid and dansguardian
Message-ID:  <468E6BE2.3010203@slightlystrange.org>
In-Reply-To: <28511e606938ca3af6624a90fa5798e9@szalbot.homedns.org>
References:  <28511e606938ca3af6624a90fa5798e9@szalbot.homedns.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Zbigniew Szalbot wrote:
> hi,
> 
> Thank you all for your comments re FreeBSD as a parental control and
> gateway server. I have both squid and dansguardian working and I am left
> with configuring them to optimize web browsing and the desired level of
> control.
> 
> I do not yet have FreeBSD functioning as a real gateway as I will be able
> to do it at a later stage. However, there is one thing that leaves me
> wondering. In order to use the content filtering as provided by
> Dansguardian, I need to configure the browser to look for proxy on port
> 8080. Now, if someone just changes the port in their browser to 3128 (squid
> proxy port), then all content filtering will be bypassed. 
> 
> What do I need to do in order to avoid someone escaping the control? I am
> also wondering how I should bring pf into the picture? I haven't tried yet
> as the box is behind a router firewall anyway but I would appreciate your
> comments how to marry squid & dansguardian with pf.

You can use pf's redirection to catch all outbound traffic destined for
port 80:

  rdr on $int_if inet proto tcp from $internal_net to !<me> port www ->
$proxy_host port $proxy_port

Define the macros appropriately in /etc/pf.conf and you're away.

<me> is a pf table that contains all the firewall machine's addresses:

  table <me> persist { self }

Any packets originating from your internal network, bound for port 80 on
any host other than the firewall (you may need to fine tune this,
depending on your needs), are redirected to the designated host/port. No
need to set up per-client proxies as the firewall handles it transparently.

Make sure squid is built with SQUID_PF=1 (from make config). There are
some settings in squid.conf you may need to tweak - there's plenty of
documentation on their website.

Transparent proxying requires no client configuration, but it also means
that proxy authentication won't work, because as far as the client is
concerned, it is talking to an end server, not a proxy. If this is a
concern, then you can just set up your clients to explicitly look for
the proxy, and tighten up your firewall rules so that altering the proxy
settings might bypass the proxy/filter, but will also get any web
traffic blocked at the firewall. They'll soon go back to using the
supplied proxy settings!

I'm not sure about automatic proxy config, as I've never used it. It is
not, though, a type of transparent proxying, which is run entirely on
the firewall/proxy hosts, without any knowledge of it on the part of the
client.

HTH

Dan



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?468E6BE2.3010203>