Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Nov 2009 21:37:11 -0800
From:      Freddie Cash <>
To:        Brian <>
Subject:   Re: Dansguardian, nat, & ipfw
Message-ID:  <>
In-Reply-To: <000001ca6741$b1316520$13942f60$@net>
References:  <000001ca6741$b1316520$13942f60$@net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Mon, Nov 16, 2009 at 8:51 PM, Brian <> wrote:
> Trying to configure my gateway box running FBSD 7.2 to provide content
> filtering services for some or all clients on a my network.
> The box is configured with natd and running IPFW. =C2=A0I like this combi=
> and have been using it successfully for years. =C2=A0Not real interested =
> changing to squid or pf or whatever else may be known (or better document=
> to work with dansguardian.

Dansguardian does not do any pages fetches on its own, it just scans
pages returned by a proxy server.  You cannot run Dansguardian without
some kind of web proxy server.  By default, the port will install
Squid, but it has been shown to work with TinyProxy.

> Dansguardian seems to be the preferred option for content filtering as ne=
> as I can tell. =C2=A0There is lots of documentation out there for configu=
> dans with squid. =C2=A0I can't find much of anything for IPFW / NAT
> So, the question is, can this be done? =C2=A0I've seen one or two suggest=
ions out
> there giving a brief description of how to use the fwd command to send
> packets to dans but unfortunately I am not smart enough to implement that
> here.

You can use IPFW to fwd packet to Dansguardian quite easily:
  ipfw add fwd tcp from $local_subnet to any 80 in recv
  ipfw add allow tcp from me to any 80 out xmit $public_nic
  ipfw add allow tcp from any 80 to me in recv $public_nic established

The first rule redirects all HTTP traffic from the local subnet to
Dansguardian.  Dansguardian will then pass the packets off to a local
install of Squid (uses by default).  Squid will then
connect out to the remote web server to grab the pages (the next two

You *MUST* have a web proxy server installed somewhere, that
Dansguardian will forward the requests to, and receive the responses

Freddie Cash

Want to link to this message? Use this URL: <>