On Sunday 10 September 2006 10:32, Stuart Henderson wrote:
> On 2006/09/10 09:08, steve szmidt wrote:
> > > Maybe it would help to post pfctl -sr -vv with the direct entry
> > > (i.e. working) and table (i.e. not-working). Perhaps pfctl -sT -v
> > > too.
> >
> > Since pflog0 tells me which rule was used I only include that rule. The
> > first one is working and 2nd not.
> >
> > pass out log on $WAN proto tcp from any to any port $Web keep state
>
> oh, I thought you were putting the addresses in there (instead of
> loading from a table), not "any".
I was until I finally got it that the rules are looking at IP's after - not
before, NAT. :)
>
> If you prefer simpler and lower resource-use and don't need
> caching, tinyproxy works nicely.
I'm not sure how fine grained the control is. It needs to define allowed sites
for different user groups (by IP). Something like this:
192.168.0.0/26 can access (list of web sites)
192.168.0.65/27 can access (list of web sites)
192.168.0.97/28 can access (any web site)
--
Steve Szmidt
"To enjoy the right of political self-government, men must be
capable of personal self-government - the virtue of self-control.
A people without decency cannot be secure in its liberty.
From the Declaration Principles
