Subject: Re: Filtering port 80 based on OSI layer 1
To: None <>
From: David S. <>
List: netbsd-users
Date: 04/11/2003 12:52:59
> I work at a university college, which has a library with these types of
> computer in it:
>  (a) library computers
>  (b) brought in student computers (laptops)
>  (c) college computers
> The librarian wants to block hotmail on types (a) and (b) but not (c)
> (a) and (c) have static IP addresses, but (b) have dynamic addresses from a
> pool allocated by central university services.
> All three types of computer are on the same subnet, and I don't want to change
> that unless there's absolutely no other way.
> I do know physically where each of the three types of machine enter the
> switch (which is vlan capable) which then connects by fibre to the backbone.
> At this point I was hoping to be able to do:
> rdr fxp1 0/0 port 80 -> port 8080 tcp
> rdr fxp2 0/0 port 80 -> port 8081 tcp
> and have squid listening on ports 8080 and 8081 and restricting or allowing
> based on incoming port.

You might be able to get this to work on -current, which seems now to 
allow filtering on a transparent bridge, at least if I read options(4) 

     options BRIDGE_IPF
     This option causes bridge devices to use the IP and/or IPv6 filtering
     hooks, forming a link-layer filter that uses protocol-layer rules.  This
     option assumes the presence of pseudo-device ipfilter.

But I haven't actually tried it, so ...

David S.