Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Nov 2009 21:37:11 -0800
From:      Freddie Cash <fjwcash@gmail.com>
To:        Brian <bbayorgeon@charter.net>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: Dansguardian, nat, & ipfw
Message-ID:  <b269bc570911162137v68826f21jd95d0f1414b3e1b2@mail.gmail.com>
In-Reply-To: <000001ca6741$b1316520$13942f60$@net>
References:  <000001ca6741$b1316520$13942f60$@net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 16, 2009 at 8:51 PM, Brian <bbayorgeon@charter.net> wrote:
> Trying to configure my gateway box running FBSD 7.2 to provide content
> filtering services for some or all clients on a my network.
>
> The box is configured with natd and running IPFW. =C2=A0I like this combi=
nation
> and have been using it successfully for years. =C2=A0Not real interested =
to
> changing to squid or pf or whatever else may be known (or better document=
ed)
> to work with dansguardian.

Dansguardian does not do any pages fetches on its own, it just scans
pages returned by a proxy server.  You cannot run Dansguardian without
some kind of web proxy server.  By default, the port will install
Squid, but it has been shown to work with TinyProxy.

> Dansguardian seems to be the preferred option for content filtering as ne=
ar
> as I can tell. =C2=A0There is lots of documentation out there for configu=
ring
> dans with squid. =C2=A0I can't find much of anything for IPFW / NAT
>
> So, the question is, can this be done? =C2=A0I've seen one or two suggest=
ions out
> there giving a brief description of how to use the fwd command to send
> packets to dans but unfortunately I am not smart enough to implement that
> here.

You can use IPFW to fwd packet to Dansguardian quite easily:
  ipfw add fwd 127.0.0.1:8080 tcp from $local_subnet to any 80 in recv
$local_nic
  ipfw add allow tcp from me to any 80 out xmit $public_nic
  ipfw add allow tcp from any 80 to me in recv $public_nic established

The first rule redirects all HTTP traffic from the local subnet to
Dansguardian.  Dansguardian will then pass the packets off to a local
install of Squid (uses 127.0.0.1:3128 by default).  Squid will then
connect out to the remote web server to grab the pages (the next two
rules).

You *MUST* have a web proxy server installed somewhere, that
Dansguardian will forward the requests to, and receive the responses
from.

--=20
Freddie Cash
fjwcash@gmail.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b269bc570911162137v68826f21jd95d0f1414b3e1b2>