Re: PF: block out port 80 so that not allow clients in LAN to browse Internet via port 80
On Tue, 25 Sep 2007 20:52:16 +0700 vuthecuong [EMAIL PROTECTED] wrote: Recently I used squid for cache proxy configured to go internet through port 3128. But internet browser in LAN still connect to Internet through port 80 if in conenction option of Internet browser is chose to connect directly to internet, not through proxy server. So how can I block out port 80 so that LAN clients must go to internet through port 3128 via proxy server? Tnx in advanced Blocking a port with PF is really basic. If you have to ask you would be better-off reading about PF first, before you do anything. http://www.openbsd.org/faq/pf/index.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF: block out port 80 so that not allow clients in LAN to browse Internet via port 80
On Tuesday 25 September 2007 23:40:14 RW wrote: On Tue, 25 Sep 2007 20:52:16 +0700 vuthecuong [EMAIL PROTECTED] wrote: Recently I used squid for cache proxy configured to go internet through port 3128. But internet browser in LAN still connect to Internet through port 80 if in conenction option of Internet browser is chose to connect directly to internet, not through proxy server. So how can I block out port 80 so that LAN clients must go to internet through port 3128 via proxy server? Tnx in advanced Blocking a port with PF is really basic. If you have to ask you would be better-off reading about PF first, before you do anything. http://www.openbsd.org/faq/pf/index.html Well, he could block, but transparently doing it without annoying users is better(tm). Vuthecuong, the following line will redirect traffic from the local net to port 80 on the internet to squid on port 3128: rdr on $int_if proto tcp from $int_if:network to any port www - \ $int_addr port 3128 where $int_if is the internal interface, $int_addr the address on the internal interface squid listens on and $ext_if the external interface. There's a full article on how to set this up, here: http://www.benzedrine.cx/transquid.html -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF: block out port 80 so that not allow clients in LAN to browse Internet via port 80
Mel wrote: On Tuesday 25 September 2007 23:40:14 RW wrote: On Tue, 25 Sep 2007 20:52:16 +0700 vuthecuong [1][EMAIL PROTECTED] wrote: Recently I used squid for cache proxy configured to go internet through port 3128. But internet browser in LAN still connect to Internet through port 80 if in conenction option of Internet browser is chose to connect directly to internet, not through proxy server. So how can I block out port 80 so that LAN clients must go to internet through port 3128 via proxy server? Tnx in advanced Blocking a port with PF is really basic. If you have to ask you would be better-off reading about PF first, before you do anything. [2]http://www.openbsd.org/faq/pf/index.html Well, he could block, but transparently doing it without annoying users is better(tm). Vuthecuong, the following line will redirect traffic from the local net to port 80 on the internet to squid on port 3128: rdr on $int_if proto tcp from $int_if:network to any port www - \ $int_addr port 3128 where $int_if is the internal interface, $int_addr the address on the internal interface squid listens on and $ext_if the external interface. There's a full article on how to set this up, here: [3]http://www.benzedrine.cx/transquid.html tnx Mel. I learn that. tnx u very much References 1. mailto:[EMAIL PROTECTED] 2. http://www.openbsd.org/faq/pf/index.html 3. http://www.benzedrine.cx/transquid.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF: block out port 80 so that not allow clients in LAN to browse Internet via port 80
On Wed, 26 Sep 2007 00:15:36 +0200 Mel [EMAIL PROTECTED] wrote: Well, he could block, but transparently doing it without annoying users is better(tm). It depends. If they are doing a lot of ftp downloading, you may want to force it to go though squid, so it can be cached. And you can't really do that in combination with http interception. There is also the issue with interception that https will bypass squid, which is a loophole if you want to want monitor access, or block sites. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]