I have seen lots of pages on google on how to setup Squid as a Transparent
Proxy server on FreeBSD.  However most of these refer to 4.9 stable, using
IPTables.  I am currently using natd and ipfw.  Here are my Firewall rules


proxy# cat rc.firewall.rules
# be quiet and flush all rules on start
-q flush

# allow local traffic, deny RFC 1918 addresses on the outside
add 00100 allow ip from any to any via lo0
add 00110 deny ip from any to
add 00120 deny ip from any to any not verrevpath in
add 00301 deny ip from to any in via fxp0
add 00302 deny ip from to any in via fxp0
add 00303 deny ip from to any in via fxp0

# check if incoming packets belong to a natted session, allow through if yes
add 01000 divert natd ip from any to me in via fxp0
add 01001 check-state

# allow some traffic from the local net to the router
add 04000 allow tcp from any to me dst-port 22 setup keep-state
add 04001 allow icmp from to me in via xl0
add 04002 allow tcp from to me dst-port 123 in via xl0
setup keep-state
add 04003 allow udp from to me dst-port 123 in via xl0
add 04006 allow udp from to me dst-port 53 in via xl0

# drop everything else
add 04009 deny ip from to me

# pass outgoing packets (to be natted) on to a special NAT rule
add 04109 skipto 61000 ip from to any in via xl0 keep-state

# allow all outgoing traffic from the router (maybe you should be more
add 05010 allow ip from me to any out keep-state

# drop everything that has come so far. This means it doesn't belong to an
# established connection, don't log the most noisy scans.
add 59998 deny icmp from any to me
add 59999 deny ip from any to me dst-port 135,137-139,445,4665
add 60000 deny log tcp from any to any established
add 60000 deny log ip from any to any

# this is the NAT rule. Only outgoing packets from the local net will come
# First, nat them, then pass them on (again, you may choose to be more
add 61000 divert natd ip from to any out via fxp0
add 61001 allow ip from any to any


proxy# cat natd.conf
interface fxp0
# dyamically open fw for ftp, irc
punch_fw 2000:50

proxy# uname -a
FreeBSD proxy.valuedj.com 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0: Fri Mar
26 19:14:17 PST 2004    
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/MYKERNEL  i386

how would I set it so all incoming packets from xl0 would get redirected
to port 8080 for the proxy server.  I want to setup DansGuardian for
content filtering and I don't want the people who will be using my network
to find a way around disabling the Proxy in the browser.

Anyone have any ideas?

Thanks for your help
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to