From owner-freebsd-questions@FreeBSD.ORG Fri Jul 6 16:20:56 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E1FCC16A46E for ; Fri, 6 Jul 2007 16:20:56 +0000 (UTC) (envelope-from dan@slightlystrange.org) Received: from catflap.slightlystrange.org (cpc5-cmbg1-0-0-cust497.cmbg.cable.ntl.com [86.6.1.242]) by mx1.freebsd.org (Postfix) with ESMTP id 95DF713C48C for ; Fri, 6 Jul 2007 16:20:56 +0000 (UTC) (envelope-from dan@slightlystrange.org) Received: by catflap.slightlystrange.org (Postfix, from userid 106) id 7BE1B64AE; Fri, 6 Jul 2007 17:20:54 +0100 (BST) Received: from stoopid.slightlystrange.org (stoopid.slightlystrange.org [10.1.3.142]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by catflap.slightlystrange.org (Postfix) with ESMTP id A49CB6182; Fri, 6 Jul 2007 17:20:53 +0100 (BST) Message-ID: <468E6BE2.3010203@slightlystrange.org> Date: Fri, 06 Jul 2007 17:20:50 +0100 From: Daniel Bye User-Agent: Thunderbird 2.0.0.4 (Macintosh/20070604) MIME-Version: 1.0 To: Zbigniew Szalbot References: <28511e606938ca3af6624a90fa5798e9@szalbot.homedns.org> In-Reply-To: <28511e606938ca3af6624a90fa5798e9@szalbot.homedns.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: parental control with squid and dansguardian X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2007 16:20:57 -0000 Zbigniew Szalbot wrote: > hi, > > Thank you all for your comments re FreeBSD as a parental control and > gateway server. I have both squid and dansguardian working and I am left > with configuring them to optimize web browsing and the desired level of > control. > > I do not yet have FreeBSD functioning as a real gateway as I will be able > to do it at a later stage. However, there is one thing that leaves me > wondering. In order to use the content filtering as provided by > Dansguardian, I need to configure the browser to look for proxy on port > 8080. Now, if someone just changes the port in their browser to 3128 (squid > proxy port), then all content filtering will be bypassed. > > What do I need to do in order to avoid someone escaping the control? I am > also wondering how I should bring pf into the picture? I haven't tried yet > as the box is behind a router firewall anyway but I would appreciate your > comments how to marry squid & dansguardian with pf. You can use pf's redirection to catch all outbound traffic destined for port 80: rdr on $int_if inet proto tcp from $internal_net to ! port www -> $proxy_host port $proxy_port Define the macros appropriately in /etc/pf.conf and you're away. is a pf table that contains all the firewall machine's addresses: table persist { self } Any packets originating from your internal network, bound for port 80 on any host other than the firewall (you may need to fine tune this, depending on your needs), are redirected to the designated host/port. No need to set up per-client proxies as the firewall handles it transparently. Make sure squid is built with SQUID_PF=1 (from make config). There are some settings in squid.conf you may need to tweak - there's plenty of documentation on their website. Transparent proxying requires no client configuration, but it also means that proxy authentication won't work, because as far as the client is concerned, it is talking to an end server, not a proxy. If this is a concern, then you can just set up your clients to explicitly look for the proxy, and tighten up your firewall rules so that altering the proxy settings might bypass the proxy/filter, but will also get any web traffic blocked at the firewall. They'll soon go back to using the supplied proxy settings! I'm not sure about automatic proxy config, as I've never used it. It is not, though, a type of transparent proxying, which is run entirely on the firewall/proxy hosts, without any knowledge of it on the part of the client. HTH Dan