[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

just another confused poor soul (yet)



nice sunday to you all (depending on your timezone),
well i have read this mailinglist tolerates jackasses like
me a little bit better.  please be patient with me, constructing
my first real firewall (openbsd 3.4current).
i am trying configure a LAN for web surfing only thru squid.
the LAN is a school, i dont want kids going to phony pages.
right now i have some regexp files for squid to filter urls.
this is not a transparent proxy, just a plain squid proxy.
i was thinking that i simply block everything except 3128
and ssh.  is this reasonable?
        +-------+      +------+   +------+
LAN--ne1|openbsd|rl0---|linux1|---|linux2|---internet
        +-------+      +------+   +------+
here is a ruleset i came up with after reading pf.conf and a
couple of hours of trial and error.  it seems to work fine, except that
i cant ssh now outside.  i read my mail on linux2 and have a couple of
shell accounts elsewhere...  linux1 is doing nat, so it is enough for me
to get to linux1.
here's my pf.conf:
------------------
int_if="ne1"
ext_if="rl0"
int_net="192.168.3.0/24"
int_add="192.168.3.1"
ext_add="192.168.0.3"
icmp_types="echoreq"
# this is a satellite connection
set optimization high-latency
block all
pass quick on lo0 all
pass          quick proto tcp to port ssh keep state
pass     inet proto icmp all icmp-type $icmp_types keep state
pass  in on $int_if proto tcp from $int_net to $int_if port 3128 keep state
pass out on $ext_if proto tcp all modulate state
pass out on $ext_if proto { udp, icmp } all keep state
------------------
-f
-- 
when i want your opinion i'll give it to you!