On 2006/09/10 10:54, steve szmidt wrote: > > > Since pflog0 tells me which rule was used I only include that rule. The > > > first one is working and 2nd not. > > > > > > pass out log on $WAN proto tcp from any to any port $Web keep state > > > > oh, I thought you were putting the addresses in there (instead of > > loading from a table), not "any". > > I was until I finally got it that the rules are looking at IP's after - not > before, NAT. :)
well, same applies when you use tables :) > > If you prefer simpler and lower resource-use and don't need > > caching, tinyproxy works nicely. > > I'm not sure how fine grained the control is. It needs to define allowed > sites > for different user groups (by IP). Something like this: > 192.168.0.0/26 can access (list of web sites) > 192.168.0.65/27 can access (list of web sites) > 192.168.0.97/28 can access (any web site) You can do it with a couple of copies running and some creative configuration (rdr to different instances of tinyproxy depending on source address and abusing upstream proxy support), but for more complex needs squid's probably easier. Or of course httpd has mod_proxy and is in base and is somewhere between the two in terms of config flexibility.
