From owner-freebsd-questions@FreeBSD.ORG  Mon Mar 12 17:57:39 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 5E3AD16A400
	for <freebsd-questions@freebsd.org>;
	Mon, 12 Mar 2007 17:57:39 +0000 (UTC)
	(envelope-from bsilver@chrononomicon.com)
Received: from trans-warp.net (hyperion.trans-warp.net [216.37.208.37])
	by mx1.freebsd.org (Postfix) with ESMTP id 197BB13C46A
	for <freebsd-questions@freebsd.org>;
	Mon, 12 Mar 2007 17:57:38 +0000 (UTC)
	(envelope-from bsilver@chrononomicon.com)
Received: from [127.0.0.1] (unverified [65.193.73.208]) 
	by trans-warp.net (SurgeMail 3.8f2) with ESMTP id 108425252-1860479 
	for <freebsd-questions@freebsd.org>; Mon, 12 Mar 2007 12:57:32 -0500
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Transfer-Encoding: 7bit
Message-Id: <F583B046-20BF-4073-BB32-7FED0FE10907@chrononomicon.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
To: FreeBSD Mailing Lists <freebsd-questions@freebsd.org>
From: Bart Silverstrim <bsilver@chrononomicon.com>
Date: Mon, 12 Mar 2007 13:57:31 -0400
X-Mailer: Apple Mail (2.752.3)
X-Authenticated-User: bsilver@chrononomicon.com 
Subject: firewall/proxy question
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2007 17:57:39 -0000

I am trying to find a way to stop some people on our network from  
accessing certain websites.  We have been using Squid with SquidGuard  
on an older FreeBSD system.

The Squid that was installed from ports doesn't seem to see https:  
connections.  From what I can find, this appears to be normal  
behavior since https: connections are encrypted.

Is there some way to set up ipfw to block access to port 443 if the  
URL/IP matches a certain address?  These users are bypassing our  
filter rules by accessing a proxy site that is using https.  The  
current ruleset on the box is
00049 allow tcp from <filter machine IP> to any
00050 fwd <filter machine IP>,3128 tcp from any to any 80
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 deny ip from any to any

Can someone help with some suggestions?  Does the Linux firewall  
system have a similar way to block access to a particular IP if it  
were doing forwarding?  We were experimenting with a new proxy  
machine but it is running Ubuntu.

-Bart