- Nov 21, 2001
- 21,521
- 3,926
- 136
I set up a proxy box for a private school, using freebsd, squid, and pf. I set it up with two NICs as a gateway.
The method I used so they could not choose an outside proxy:
I made redirects of known proxy ports to my proxy server.
I mde redirects of all ports that did not perform other services, like DNS, to my proxy server.
Examples:
rdr on $int_if inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080
rdr on $int_if inet proto tcp from any to any port 444 -> 127.0.0.1 port 8080
rdr on $int_if inet proto tcp from any to any port 1024:1862 -> 127.0.0.1 port 8080
this was with the typical loose ruleset of:
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
do you have any other suggestions that would be more elegant? I am new to pf and proxy servers.
The method I used so they could not choose an outside proxy:
I made redirects of known proxy ports to my proxy server.
I mde redirects of all ports that did not perform other services, like DNS, to my proxy server.
Examples:
rdr on $int_if inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080
rdr on $int_if inet proto tcp from any to any port 444 -> 127.0.0.1 port 8080
rdr on $int_if inet proto tcp from any to any port 1024:1862 -> 127.0.0.1 port 8080
this was with the typical loose ruleset of:
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
do you have any other suggestions that would be more elegant? I am new to pf and proxy servers.
Facebook
Twitter
Instagram