From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 17 05:37:12 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E6A31065672 for ; Tue, 17 Nov 2009 05:37:12 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by mx1.freebsd.org (Postfix) with ESMTP id 147CE8FC12 for ; Tue, 17 Nov 2009 05:37:11 +0000 (UTC) Received: by pwj15 with SMTP id 15so4115854pwj.3 for ; Mon, 16 Nov 2009 21:37:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=sc/vof6m/EYIKjP7QDFSbhxyBGp7sooiu9g5o1SEOh4=; b=uzPx5Z3/29tsT3C3rMWQy6Y9MvlOsDmMlg9bbJI1Z9CVogGjyc/Ezf2rFLG9DVBtFM tRmIC4jiBI28JrECrwFx2CLtzHHJTDb2kO6gXtq5gJh64VupcEhzNpFLnoZR0Cjs8XmB QIeGXSIRmKhrvnPi6gEGSMTk+Sp9FoDxwwlyo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=JKHbxYFQ8R8emlY9jUBislIDwG6nuvP+vgfLdBFwm2gdSzwzOBgM5q7ggFXJgn4ZmC UI0iK4dOdKirr3X0bLYHNC9U41nSVyWqO9stg71v3MQzs+krqTr01cKO5wh7i7999YSr vNrnuRTFDHq9jsZwPEhhZ3fUmicJH+BgLy4kE= MIME-Version: 1.0 Received: by 10.142.2.10 with SMTP id 10mr1013811wfb.99.1258436231651; Mon, 16 Nov 2009 21:37:11 -0800 (PST) In-Reply-To: <000001ca6741$b1316520$13942f60$@net> References: <000001ca6741$b1316520$13942f60$@net> Date: Mon, 16 Nov 2009 21:37:11 -0800 Message-ID: From: Freddie Cash To: Brian Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-ipfw@freebsd.org Subject: Re: Dansguardian, nat, & ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2009 05:37:12 -0000 On Mon, Nov 16, 2009 at 8:51 PM, Brian wrote: > Trying to configure my gateway box running FBSD 7.2 to provide content > filtering services for some or all clients on a my network. > > The box is configured with natd and running IPFW. =C2=A0I like this combi= nation > and have been using it successfully for years. =C2=A0Not real interested = to > changing to squid or pf or whatever else may be known (or better document= ed) > to work with dansguardian. Dansguardian does not do any pages fetches on its own, it just scans pages returned by a proxy server. You cannot run Dansguardian without some kind of web proxy server. By default, the port will install Squid, but it has been shown to work with TinyProxy. > Dansguardian seems to be the preferred option for content filtering as ne= ar > as I can tell. =C2=A0There is lots of documentation out there for configu= ring > dans with squid. =C2=A0I can't find much of anything for IPFW / NAT > > So, the question is, can this be done? =C2=A0I've seen one or two suggest= ions out > there giving a brief description of how to use the fwd command to send > packets to dans but unfortunately I am not smart enough to implement that > here. You can use IPFW to fwd packet to Dansguardian quite easily: ipfw add fwd 127.0.0.1:8080 tcp from $local_subnet to any 80 in recv $local_nic ipfw add allow tcp from me to any 80 out xmit $public_nic ipfw add allow tcp from any 80 to me in recv $public_nic established The first rule redirects all HTTP traffic from the local subnet to Dansguardian. Dansguardian will then pass the packets off to a local install of Squid (uses 127.0.0.1:3128 by default). Squid will then connect out to the remote web server to grab the pages (the next two rules). You *MUST* have a web proxy server installed somewhere, that Dansguardian will forward the requests to, and receive the responses from. --=20 Freddie Cash fjwcash@gmail.com