Re: Can pf be used this way?

[Paul Fontenot <wpfontenot@yahoo.com>]

Nope, this configuration works great, I just needed to
add a nat rule to force everyone to use the proxy
server.

--- Taufik <openbsd@admin.or.id> wrote:
> On Tue, 19 Mar 2002, Paul Fontenot wrote:
> 
> > I have squid and pf running on the same box (my
> small
> > office gateway) and want to know if there is a
> rule I
> > can put in my pf.conf that will make all outbound
> web
> > traffic go through the proxy.
> >
> > Here is the /etc/pf.conf file:
> >
> > # Define useful variables
> > ExtIF="xl0"                     # External
> interface
> > IntNet="192.168.1.0/24"         # My internal
> network
> > NoRouteIPs="{ 127.0.0.1/8, 192.168.0.0/16,
> > 172.16.0.0/12, 10.0.0.0/8 }"
> > Services="{ ssh }"
> >
> > # Clean up fragmented and abnormal packets
> > scrub in on $ExtIF all
> >
> > # Don't allow anyone to spoof non-routeable
> addresses
> > block in quick on $ExtIF from $NoRouteIPs to any
> > block in quick on $ExtIF from any to $NoRouteIPs
> >
> -----------------snips ................... :-)
> 
> maybe i'm wrong but ...
> 
> you define
> IntNet="192.168.1.0/24"         # My internal
> network
> 
> then after scrub you define
> > # Don't allow anyone to spoof non-routeable
> addresses
> > block in quick on $ExtIF from $NoRouteIPs to any
> > block in quick on $ExtIF from any to $NoRouteIPs
> 
> your IntNet include on 192.168.0.0/16 ($NoRouteIPs)
> that block in quick ?
> 
> 
> Taufik
> mycroft@admin.or.id
> http://mycroft.sysadmin.or.id
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/