netbsd-users: Re: Filtering port 80 based on OSI layer 1

Subject: Re: Filtering port 80 based on OSI layer 1
To: None <netbsd-users@netbsd.org>
From: David S. <davids@idiom.com>
List: netbsd-users
Date: 04/11/2003 12:52:59

> 
> I work at a university college, which has a library with these types of
> computer in it:
> 
>  (a) library computers
>  (b) brought in student computers (laptops)
>  (c) college computers
> 
> The librarian wants to block hotmail on types (a) and (b) but not (c)
> (a) and (c) have static IP addresses, but (b) have dynamic addresses from a
> pool allocated by central university services.
> 
> All three types of computer are on the same subnet, and I don't want to change
> that unless there's absolutely no other way.
> 
> I do know physically where each of the three types of machine enter the
> switch (which is vlan capable) which then connects by fibre to the backbone.
>
...
> 
> At this point I was hoping to be able to do:
> 
> rdr fxp1 0/0 port 80 -> 192.168.1.1 port 8080 tcp
> rdr fxp2 0/0 port 80 -> 192.168.1.1 port 8081 tcp
> 
> and have squid listening on ports 8080 and 8081 and restricting or allowing
> based on incoming port.

You might be able to get this to work on -current, which seems now to 
allow filtering on a transparent bridge, at least if I read options(4) 
correctly:

...
     options BRIDGE_IPF
     This option causes bridge devices to use the IP and/or IPv6 filtering
     hooks, forming a link-layer filter that uses protocol-layer rules.  This
     option assumes the presence of pseudo-device ipfilter.
...

But I haven't actually tried it, so ...


David S.