Subject: Re: Filtering port 80 based on OSI layer 1
To: None <firstname.lastname@example.org>
From: David S. <email@example.com>
Date: 04/11/2003 12:52:59
> I work at a university college, which has a library with these types of
> computer in it:
> (a) library computers
> (b) brought in student computers (laptops)
> (c) college computers
> The librarian wants to block hotmail on types (a) and (b) but not (c)
> (a) and (c) have static IP addresses, but (b) have dynamic addresses from a
> pool allocated by central university services.
> All three types of computer are on the same subnet, and I don't want to change
> that unless there's absolutely no other way.
> I do know physically where each of the three types of machine enter the
> switch (which is vlan capable) which then connects by fibre to the backbone.
> At this point I was hoping to be able to do:
> rdr fxp1 0/0 port 80 -> 192.168.1.1 port 8080 tcp
> rdr fxp2 0/0 port 80 -> 192.168.1.1 port 8081 tcp
> and have squid listening on ports 8080 and 8081 and restricting or allowing
> based on incoming port.
You might be able to get this to work on -current, which seems now to
allow filtering on a transparent bridge, at least if I read options(4)
This option causes bridge devices to use the IP and/or IPv6 filtering
hooks, forming a link-layer filter that uses protocol-layer rules. This
option assumes the presence of pseudo-device ipfilter.
But I haven't actually tried it, so ...