I have seen lots of pages on google on how to setup Squid as a Transparent Proxy server on FreeBSD. However most of these refer to 4.9 stable, using IPTables. I am currently using natd and ipfw. Here are my Firewall rules
rc.firewall.rules proxy# cat rc.firewall.rules # be quiet and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow ip from any to any via lo0 add 00110 deny ip from any to 127.0.0.0/8 add 00120 deny ip from any to any not verrevpath in add 00301 deny ip from 10.0.0.0/8 to any in via fxp0 add 00302 deny ip from 172.16.0.0/12 to any in via fxp0 add 00303 deny ip from 192.168.0.0/16 to any in via fxp0 # check if incoming packets belong to a natted session, allow through if yes add 01000 divert natd ip from any to me in via fxp0 add 01001 check-state # allow some traffic from the local net to the router # SSH add 04000 allow tcp from any to me dst-port 22 setup keep-state # ICMP add 04001 allow icmp from 192.168.1.0/24 to me in via xl0 # NTP add 04002 allow tcp from 192.168.1.0/24 to me dst-port 123 in via xl0 setup keep-state add 04003 allow udp from 192.168.1.0/24 to me dst-port 123 in via xl0 keep-state # DNS add 04006 allow udp from 192.168.1.0/24 to me dst-port 53 in via xl0 # drop everything else add 04009 deny ip from 192.168.1.0/24 to me # pass outgoing packets (to be natted) on to a special NAT rule add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via xl0 keep-state # allow all outgoing traffic from the router (maybe you should be more restrictive) add 05010 allow ip from me to any out keep-state # drop everything that has come so far. This means it doesn't belong to an # established connection, don't log the most noisy scans. add 59998 deny icmp from any to me add 59999 deny ip from any to me dst-port 135,137-139,445,4665 add 60000 deny log tcp from any to any established add 60000 deny log ip from any to any # this is the NAT rule. Only outgoing packets from the local net will come here. # First, nat them, then pass them on (again, you may choose to be more restrictive) add 61000 divert natd ip from 192.168.1.0/24 to any out via fxp0 add 61001 allow ip from any to any natd.conf proxy# cat natd.conf unregistered_only interface fxp0 use_sockets dynamic # dyamically open fw for ftp, irc punch_fw 2000:50 proxy# uname -a FreeBSD proxy.valuedj.com 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0: Fri Mar 26 19:14:17 PST 2004 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/MYKERNEL i386 how would I set it so all incoming packets from xl0 would get redirected to port 8080 for the proxy server. I want to setup DansGuardian for content filtering and I don't want the people who will be using my network to find a way around disabling the Proxy in the browser. Anyone have any ideas? Thanks for your help _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"