From owner-freebsd-questions@FreeBSD.ORG  Tue Sep 25 22:15:39 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3E5EE16A46C
	for <freebsd-questions@freebsd.org>;
	Tue, 25 Sep 2007 22:15:39 +0000 (UTC)
	(envelope-from fbsd.questions@rachie.is-a-geek.net)
Received: from snoogles.rachie.is-a-geek.net (rachie.is-a-geek.net
	[66.230.99.27])
	by mx1.freebsd.org (Postfix) with ESMTP id F0F5A13C4A3
	for <freebsd-questions@freebsd.org>;
	Tue, 25 Sep 2007 22:15:38 +0000 (UTC)
	(envelope-from fbsd.questions@rachie.is-a-geek.net)
Received: from localhost (localhost [127.0.0.1])
	by snoogles.rachie.is-a-geek.net (Postfix) with ESMTP id 1AE8F1CDEE
	for <freebsd-questions@freebsd.org>;
	Tue, 25 Sep 2007 14:15:38 -0800 (AKDT)
From: Mel <fbsd.questions@rachie.is-a-geek.net>
To: freebsd-questions@freebsd.org
Date: Wed, 26 Sep 2007 00:15:36 +0200
User-Agent: KMail/1.9.7
References: <46F91290.7050500@fpt.vn>
	<20070925224014.5f88fda7@gumby.homeunix.com.>
In-Reply-To: <20070925224014.5f88fda7@gumby.homeunix.com.>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200709260015.36772.fbsd.questions@rachie.is-a-geek.net>
Subject: Re: PF: block out port 80 so that not allow clients in LAN to
	browse Internet via port 80
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2007 22:15:39 -0000

On Tuesday 25 September 2007 23:40:14 RW wrote:
> On Tue, 25 Sep 2007 20:52:16 +0700
>
> vuthecuong <cuongvt@fpt.vn> wrote:
> > Recently I used squid for cache proxy configured  to go internet
> > through port 3128.
> > But internet browser in LAN still connect to Internet through port 80
> > if in conenction option of Internet browser is chose to connect
> > directly to internet,
> > not through proxy server.
> > So how can I block out port 80 so that LAN clients must go to
> > internet through port
> > 3128 via proxy server?
> > Tnx in advanced
> > ________________
>
> Blocking a port with PF is really basic. If you have to ask you would
> be better-off reading about PF first, before you do anything.
>
> http://www.openbsd.org/faq/pf/index.html

Well, he could block, but transparently doing it without annoying users is 
better(tm).

Vuthecuong, the following line will redirect traffic from the local net to 
port 80 on the internet to squid on port 3128:
rdr on $int_if proto tcp from $int_if:network to any port www -> \
   $int_addr port 3128

where $int_if is the internal interface, $int_addr the address on the internal 
interface squid listens on and $ext_if the external interface.

There's a full article on how to set this up, here:
http://www.benzedrine.cx/transquid.html
-- 
Mel