Sunday, November 9, 2003, 3:59:35 PM, you wrote: fh> i am trying configure a LAN for web surfing only thru squid. fh> the LAN is a school, i dont want kids going to phony pages. fh> right now i have some regexp files for squid to filter urls. fh> this is not a transparent proxy, just a plain squid proxy. fh> i was thinking that i simply block everything except 3128 fh> and ssh. is this reasonable?
As long as you don't need DNS resolves for your ssh, that's fine. fh> +-------+ +------+ +------+ fh> LAN--ne1|openbsd|rl0---|linux1|---|linux2|---internet fh> +-------+ +------+ +------+ fh> here is a ruleset i came up with after reading pf.conf and a fh> couple of hours of trial and error. it seems to work fine, except that fh> i cant ssh now outside. i read my mail on linux2 and have a couple of fh> shell accounts elsewhere... linux1 is doing nat, so it is enough for me fh> to get to linux1. As rl0 is 192.168.0.3, I assume that linux1 knows only how to route to 192.168.0.0/24 but not to 192.168.3.0/24 (which is required to route the packets back to your LAN). Add rl0 as next-hop from linux1 and you should be fine (if you don't need DNS for your ssh). If you want to ssh to the internet, you'll need some more work on the linux box (or let openbsd do the NAT already). -- Best regards, Max mailto:[EMAIL PROTECTED]