[ previous ] [ next ] [ threads ]
 
 From:  Dmitry Sorokin <dimon at intellinet dot ca>
 To:  Michael Mee <mm2001 at pobox dot com>
 Cc:  Monowall DEV <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] feature: url filtering?
 Date:  Sat, 30 Oct 2004 17:23:58 -0600 
I'm not sure how the ipfilter rules would look like, but currently on all of my 
gateways I'm using the following set of ipfw rules:

ipfw add 59000 fwd [IP_OF_PROXY],[PROXY_PORT] tcp from [FILTERED_NETWORK] to 
any 80 out xmit ed0
ipfw add 59001 fwd [IP_OF_PROXY],[PROXY_PORT] tcp from [FILTERED_NETWORK] to 
any 3128 out xmit ed0
ipfw add 59002 fwd [IP_OF_PROXY],[PROXY_PORT] tcp from [FILTERED_NETWORK] to 
any 8080 out xmit ed0
ipfw add 59003 allow tcp from [IP_OF_PROXY] to any 80 out xmit ed0
ipfw add 59004 allow tcp from [IP_OF_PROXY] to any 3128 out xmit ed0
ipfw add 59005 allow tcp from [IP_OF_PROXY] to any 8080 out xmit ed0
ipfw add 59006 deny tcp from [FILTERED_NETWORK] to any 80 out xmit ed0
ipfw add 59007 deny tcp from [FILTERED_NETWORK] to any 3128 out xmit ed0
ipfw add 59008 deny tcp from [FILTERED_NETWORK] to any 8080 out xmit ed0

I guess ipfilter can do the same thing. So the question now is to create a page 
in webGUI where admin enters ip address of proxy server, port number and 
chooses the network (usually LAN), which will be blocked from direct access to 
web and all HTTP traffic will be forwarded to proxy server.

Now, regarding auto-disable the set of rules if proxy server is not accessible, 
this is can be done by just having script running from cron every defined 
period of time to connect to proxy ip address to specified port number. If the 
connection was successfull, that means proxy server is alive and set of rules 
can be left alone (or entered again into ipfw table if it was removed 
previously), if not, the script removes that set of rules. 

That's it.


Quoting Michael Mee <mm2001 at pobox dot com>:

> > I'm thinking of creating a patched version of m0n0wall that
> > will have SQUID+Dansguardian and maybe Bind running on it,
> >
> > Anyone willing to collaborate on that?
> 
> Would it be better to put the effort into adding a transparent proxy hook
> into m0n0wall, which Manuel has already agreed he would add to the main
> release (
> http://m0n0.ch/wall/list-dev/?action=show_msg&actionargs[]=4&actionargs[]=67
>  )?
> 
> Of course that means running two boxes, one with m0n0wall and the other with
> the Squid/whatever proxy, but that's nice anyway in some scenarios... (esp
> if we can come with a way to auto-disable the rule if the proxy stops
> responding - V2 :-)).
> 
> cheers, michael
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
> 
>