netbsd-users: Filtering port 80 based on OSI layer 1

Subject: Filtering port 80 based on OSI layer 1
To: None <netbsd-users@netbsd.org>
From: Chris Lloyd <strawberry@toth.org.uk>
List: netbsd-users
Date: 04/11/2003 15:10:42
Hiya,

I'm trying to do something which is probably slightly odd (and may not be
possible). Please bear with me :)

I work at a university college, which has a library with these types of
computer in it:

 (a) library computers
 (b) brought in student computers (laptops)
 (c) college computers

The librarian wants to block hotmail on types (a) and (b) but not (c)
(a) and (c) have static IP addresses, but (b) have dynamic addresses from a
pool allocated by central university services.

All three types of computer are on the same subnet, and I don't want to change
that unless there's absolutely no other way.

I do know physically where each of the three types of machine enter the
switch (which is vlan capable) which then connects by fibre to the backbone.

I was thinking of dividing up the switch into two vlans, restricted and
unrestricted. Plugging the right cables into the right places. Then having
something like a soekris machine (with its three ethernet ports) doing some
sort of cunning filtering thing based on bridge(4), ipnat(4) and squid.

The machine I'm trying to test this system with has three network cards in it.

fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
fxp1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
fxp2: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
bridge0: flags=41<UP,RUNNING> mtu 1500

the three interfaces are all added to the bridge.

At this point I was hoping to be able to do:

rdr fxp1 0/0 port 80 -> 192.168.1.1 port 8080 tcp
rdr fxp2 0/0 port 80 -> 192.168.1.1 port 8081 tcp

and have squid listening on ports 8080 and 8081 and restricting or allowing
based on incoming port.

Except ipnat doesn't seem to like doing that, (and I'm not sure I blame it,
since there isn't really any IP on fxp1 or fxp2, it's on fxp0 instead).

So is there a way forward? Are my ipnat rules just wrong?

Thanks in advance,

 - Chris

--
strawberry@toth.org.uk
http://www.toth.org.uk/~strawberry