Fwd: Squid and IPFW

2007-06-02 Thread Spiros Papadopoulos

Sorry, forgot to add the list...

Hi again,

On 01/06/07, RW <[EMAIL PROTECTED]> wrote:



Are you really sure you want to do that way?



I am sure about me wanting to use FreeBSD and i am sure about me
liking IPFW. *I am not sure* if it is the best
way of doing this, but i believe
that if you know how to setup the system and IPFW appropriately, then
it can be a very good firewall solution.
I am also sure that if you setup sth like this from scratch and you are not
an expert, it would need time before it becomes strong enough.

I am not an expert and unfortunately my time is being shared between
multiple things at the moment, even though I would like to concentrate
only on this...

Squid wont be able to

control access to https or ftp. And what about http on non-standard
ports, e.g. http://easynews.com:81



These are consequent questions. What would you recommend on this?
As i mentioned I sent this post quite in advance. Before i start setting up.


without setting this on each workstation?

http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers



has some options


It is not for a home network. I wouldn't want to have to set each
workstation' s browser settings.
Especially since there is another way of doing this.

On 02/06/07, Steve Bertrand <[EMAIL PROTECTED]> wrote:



> The people that are smart enough to get around this kind of a block
> in an organization are generally not the problem.  It is the morons that
> have no concept of appropriate use of the Internet in the workplace
> who are the problems, and they will be effectively stopped.



:o)

I agree with Ted here. It's the innapropriate web surfers who are the

main problem, however, traffic filters will catch people using odd
ports, and firewall rules are there to fix this.



I know from experience and is a fact, that traffic/packet filters can be
used effectively
to strengthen the firewall rules.


I use much the same setup for my 8 year old son.  He only gets Internet
> access to websites that we have approved and added to the squid list.

May I make a recommendation for DansGuardian for home users. I have used
it for a few years now, and instead of maintaining just a single list of
allowed sites, it does a fantastic job of filtering the actual content,
images, url's and a bunch of other things.

Of course physical observance is the best approach, but the
Squid/Dansguardian approach works exceptionally well when you have to
walk away. (I have 4 kids ranging from 5 to 13).



Kids feel "at home" when they are at home. They wouldn't hesitate to type
i.e sex.com
or do anything else on *their* browser! Most
employers (especially those morons that don't
know what they do) would hesitate, for many obvious reasons that don't need
to
be mentioned here.

..I am not disregarding or commenting on Dansguardian here, which i
haven't personally used.

Spiros




--
Spiros P.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: Squid and IPFW

2007-06-02 Thread Steve Bertrand
>>> I would like to setup a gw / firewall (IPFW) which will also run
>>> Squid, in order to restrict access to certain websites
>>> or to allow certain workstations to have full access to the internet.
>>> How can I redirect all traffic going to port 80 on the gw, to port
>>> 3128 on Squid 
>> Are you really sure you want to do that way?  Squid wont be able to
>> control access to https or ftp. And what about http on non-standard
>> ports, e.g. http://easynews.com:81 
>>
> 
> The people that are smart enough to get around this kind of a block
> in an organization are generally not the problem.  It is the morons that
> have no concept of appropriate use of the Internet in the workplace
> who are the problems, and they will be effectively stopped.

I agree with Ted here. It's the innapropriate web surfers who are the
main problem, however, traffic filters will catch people using odd
ports, and firewall rules are there to fix this.

> I use much the same setup for my 8 year old son.  He only gets Internet
> access to websites that we have approved and added to the squid list.

May I make a recommendation for DansGuardian for home users. I have used
it for a few years now, and instead of maintaining just a single list of
allowed sites, it does a fantastic job of filtering the actual content,
images, url's and a bunch of other things.

Of course physical observance is the best approach, but the
Squid/Dansguardian approach works exceptionally well when you have to
walk away. (I have 4 kids ranging from 5 to 13).

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


RE: Squid and IPFW

2007-06-02 Thread Ted Mittelstaedt


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of RW
> Sent: Friday, June 01, 2007 5:23 AM
> To: freebsd-questions@freebsd.org
> Subject: Re: Squid and IPFW
> 
> 
> On Thu, 31 May 2007 13:13:36 -0400
> "Spiros Papadopoulos" <[EMAIL PROTECTED]> wrote:
> 
> > Dear all,
> > 
> > I would like to setup a gw / firewall (IPFW) which will also run
> > Squid, in order to restrict access to certain websites
> > or to allow certain workstations to have full access to the internet.
> > How can I redirect all traffic going to port 80 on the gw, to port
> > 3128 on Squid 
> 
> Are you really sure you want to do that way?  Squid wont be able to
> control access to https or ftp. And what about http on non-standard
> ports, e.g. http://easynews.com:81 
> 

The people that are smart enough to get around this kind of a block
in an organization are generally not the problem.  It is the morons that
have no concept of appropriate use of the Internet in the workplace
who are the problems, and they will be effectively stopped.

I use much the same setup for my 8 year old son.  He only gets Internet
access to websites that we have approved and added to the squid list.


Ted
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: Squid and IPFW

2007-06-01 Thread RW
On Thu, 31 May 2007 13:13:36 -0400
"Spiros Papadopoulos" <[EMAIL PROTECTED]> wrote:

> Dear all,
> 
> I would like to setup a gw / firewall (IPFW) which will also run
> Squid, in order to restrict access to certain websites
> or to allow certain workstations to have full access to the internet.
> How can I redirect all traffic going to port 80 on the gw, to port
> 3128 on Squid 

Are you really sure you want to do that way?  Squid wont be able to
control access to https or ftp. And what about http on non-standard
ports, e.g. http://easynews.com:81 

> without setting this on each workstation?

http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers

has some options
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Fwd: Squid and IPFW

2007-05-31 Thread Spiros Papadopoulos

Thanks for your reply. I asked the question long in advance. I will try
this.

-- Forwarded message --
From: Tek Bahadur Limbu <[EMAIL PROTECTED] >
Date: 31-May-2007 14:35
Subject: Re: Squid and IPFW
To: Spiros Papadopoulos <[EMAIL PROTECTED]>
Cc: freebsd mailing list < freebsd-questions@freebsd.org>



Spiros Papadopoulos wrote:

Dear all,

I would like to setup a gw / firewall (IPFW) which will also run Squid, in
order to restrict access to certain websites
or to allow certain workstations to have full access to the internet.
How can I redirect all traffic going to port 80 on the gw, to port 3128 on
Squid without setting this on each workstation?
I know this can be done with iptables but i don't want to use iptables on
this one...


Hi Spiros,

You can try the following commands:


/sbin/ipfw add fwd 127.0.0.1,3128 tcp from any to any 80 in
/sbin/ipfw add allow tcp  from 192.168.0.0/24 to any  3128 in via fxp0

Hope it helps.




Thanks in advance
Spiros P.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED] "







--
Spiros P.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: Squid and IPFW

2007-05-31 Thread Tek Bahadur Limbu



Spiros Papadopoulos wrote:

Dear all,

I would like to setup a gw / firewall (IPFW) which will also run Squid, in
order to restrict access to certain websites
or to allow certain workstations to have full access to the internet.
How can I redirect all traffic going to port 80 on the gw, to port 3128 on
Squid without setting this on each workstation?
I know this can be done with iptables but i don't want to use iptables on
this one...


Hi Spiros,

You can try the following commands:


/sbin/ipfw add fwd 127.0.0.1,3128 tcp from any to any 80 in
/sbin/ipfw add allow tcp  from 192.168.0.0/24 to any  3128 in via fxp0

Hope it helps.




Thanks in advance
Spiros P.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"[EMAIL PROTECTED]"






___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Squid and IPFW

2007-05-31 Thread Spiros Papadopoulos

Dear all,

I would like to setup a gw / firewall (IPFW) which will also run Squid, in
order to restrict access to certain websites
or to allow certain workstations to have full access to the internet.
How can I redirect all traffic going to port 80 on the gw, to port 3128 on
Squid without setting this on each workstation?
I know this can be done with iptables but i don't want to use iptables on
this one...

Thanks in advance
Spiros P.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: squid and ipfw ... fwd ...

2003-02-15 Thread Gianmarco Giovannelli
At 14/02/2003, P. U. Kruppa wrote:

On Thu, 13 Feb 2003, Dancho Penev wrote:

> On Thu, Feb 13, 2003 at 06:44:24PM +0100, P. U. Kruppa wrote:
> >Date: Thu, 13 Feb 2003 18:44:24 +0100 (CET)
> >From: [EMAIL PROTECTED] (P. U. Kruppa)
> >To: [EMAIL PROTECTED]
> >Subject: squid and ipfw ... fwd ...
> >
> >Hi!
> >
> >I am trying to setup a transparent proxy with Squid.


This should work, squid on port 3128 on the gateway of the intranet.

# Transparent Proxy -- ipfw (before divert rules) 
${ipfwcmd} 0045 pass tcp from ${MY_EXTERNAL_IP} to any 80
${ipfwcmd} 0049 fwd 127.0.0.1,3128 tcp from any to any 80

--> minimal squid.conf
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
cache_dir null /tmp
cache_access_log /usr/local/squid/logs/access.log
cache_log /usr/local/squid/logs/cache.log
ftp_user squid@
ftp_passive off

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl yournet src ${YOUR_NET_CLASS}
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow ${YOUR_NET_CLASS}
http_access deny all


Please let me know...



Best Regards,
Gianmarco Giovannelli ,  "Unix expert since yesterday"
http://www.gufi.org/~gmarco



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message



Re: squid and ipfw ... fwd ...

2003-02-13 Thread P. U. Kruppa
On Thu, 13 Feb 2003, Dancho Penev wrote:

> On Thu, Feb 13, 2003 at 06:44:24PM +0100, P. U. Kruppa wrote:
> >Date: Thu, 13 Feb 2003 18:44:24 +0100 (CET)
> >From: [EMAIL PROTECTED] (P. U. Kruppa)
> >To: [EMAIL PROTECTED]
> >Subject: squid and ipfw ... fwd ...
> >
> >Hi!
> >
> >I am trying to setup a transparent proxy with Squid.
> >
> >Proxying and caching itself works fine (thanks to the help of
> >this list!) - my Squid is listening on port 80.
> >
> >I have got the ipfw kernel module running and seem to be able to
> >change all kinds of rules via ipfw or from bootup via some
> >firewall configuration file. As all kinds of manuals advise I do
> ># ipfw add 200 allow tcp from 192.168.10.1 to any
> >and still everything works fine. But when I try the next line
> ># ipfw add 300 fwd 127.0.0.1 tcp from any to any 80
> >I keep receiving access denied messages from squid.
>
> Put in squid config file something like this (change ip address and netmask):
>
> acl permitednet src 192.168.0.0/255.255.0.0
> http_access allow permitednet
I have got these.
Squid works fine as long as I setup all browsers to use
192.168.10.1's port 80 .
But when they are set to automatic detection they don't use
Squid.
The ipfw rule 300 should redirect all traffic to squid - which it
in fact does: The access denial message is produced by Squid. But
there everything ends.

Uli.

> Take a look at ACCESS CONTROLS section in squid.conf for more details.
> In fact if you keep above two ipfw rules transparent proxy will not work for
> 192.168.10.1 .
>
> >
> >I found several emails about this problem in Google but no
> >solution.
> >
> >
> >What can be done now?
> >
> >Thanks for any ideas,
> >
> >Uli.
> >
> >*---*
> >*Peter Ulrich Kruppa*
> >*  -  Wuppertal -   *
> >*  Germany  *
> >*---*
> >
> >To Unsubscribe: send mail to [EMAIL PROTECTED]
> >with "unsubscribe freebsd-questions" in the body of the message
>
> --
> Regards,
> Dancho Penev
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-questions" in the body of the message
>

*---*
*Peter Ulrich Kruppa*
*  -  Wuppertal -   *
*  Germany  *
*---*

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message



Re: squid and ipfw ... fwd ...

2003-02-13 Thread Dancho Penev
On Thu, Feb 13, 2003 at 06:44:24PM +0100, P. U. Kruppa wrote:

Date: Thu, 13 Feb 2003 18:44:24 +0100 (CET)
From: [EMAIL PROTECTED] (P. U. Kruppa)
To: [EMAIL PROTECTED]
Subject: squid and ipfw ... fwd ...

Hi!

I am trying to setup a transparent proxy with Squid.

Proxying and caching itself works fine (thanks to the help of
this list!) - my Squid is listening on port 80.

I have got the ipfw kernel module running and seem to be able to
change all kinds of rules via ipfw or from bootup via some
firewall configuration file. As all kinds of manuals advise I do
# ipfw add 200 allow tcp from 192.168.10.1 to any
and still everything works fine. But when I try the next line
# ipfw add 300 fwd 127.0.0.1 tcp from any to any 80
I keep receiving access denied messages from squid.


Put in squid config file something like this (change ip address and netmask):

acl permitednet src 192.168.0.0/255.255.0.0
http_access allow permitednet

Take a look at ACCESS CONTROLS section in squid.conf for more details.
In fact if you keep above two ipfw rules transparent proxy will not work for
192.168.10.1 .



I found several emails about this problem in Google but no
solution.


What can be done now?

Thanks for any ideas,

Uli.

*---*
*Peter Ulrich Kruppa*
*  -  Wuppertal -   *
*  Germany  *
*---*

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message


--
Regards,
Dancho Penev

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message



squid and ipfw ... fwd ...

2003-02-13 Thread P. U. Kruppa
Hi!

I am trying to setup a transparent proxy with Squid.

Proxying and caching itself works fine (thanks to the help of
this list!) - my Squid is listening on port 80.

I have got the ipfw kernel module running and seem to be able to
change all kinds of rules via ipfw or from bootup via some
firewall configuration file. As all kinds of manuals advise I do
# ipfw add 200 allow tcp from 192.168.10.1 to any
and still everything works fine. But when I try the next line
# ipfw add 300 fwd 127.0.0.1 tcp from any to any 80
I keep receiving access denied messages from squid.

I found several emails about this problem in Google but no
solution.


What can be done now?

Thanks for any ideas,

Uli.

*---*
*Peter Ulrich Kruppa*
*  -  Wuppertal -   *
*  Germany  *
*---*

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message