I second using PF and transparent squid. It works extremely well and is pretty much foolproof.
This is what I use at work and it's blocking sites by domain name, regex matching, flash videos, mp3 sites and also limiting filetype downloads. The interesting bit of squid.conf is here: acl adclick dstdomain .doubleclick.net .valueclick.net .falkag.net .doubleclick.com .mediaplex.com .adbrite.com .linksynergy.com .adengage.com .yieldmanager .com .falkag.de pagead2.googlesyndication.com .adlog.com .tribalfusion.com .intellitxt.c om .fastclick.net .burstnet.com .casalemedia.com .atwola.com .serving- sys.com .atdmt.com .msads.net .blogads.com .overture.com .advertising.co m .chitika.net . 247realmedia.com .veoh.com .fmpub.net .adinterax.com .snap.com http_access deny adclick acl adminpc1 src 172.29.100.100/255.255.255.255 acl adminpc2 src 172.29.100.146/255.255.255.255 acl adminwsus src 172.29.100.30/255.255.255.255 acl blockfiles urlpath_regex \.flv(\?.*)?$ \.mp3(\?.*)?$ \.wmv(\?.*)? $ \.avi(\?.*)?$ \.mov(\?.*)?$ \.zip(\?.*)?$ \.exe(\?.*)?$ \.cab(\?.*)? $ \.vbs(\?.*)?$ http_access deny blockfiles !adminpc1 !adminpc2 !adminwsus acl adregex dstdom_regex -i (^)ads\. (^)ad1. (^)ad2. (^)adserver. (^) ad\. (^)ads1\. (^)ads2\. http_access deny adregex acl afterwork time MTWHF 18:00-22:10 acl streaming rep_mime_type -i ^video/x-ms-asf ^video/x-ms-sf ^audio/ mpeg ^audio/x-mpeg ^application/x-mms-framed ^application/vnd.ms.wms- hdr.asfv1 ^video/x-flv ^video/flv ^video/mpeg ^video/x-ms-wvx ^video/ x-ms-wmv ^video/vnd.divx ^video/quicktime http_reply_access deny streaming !afterwork !adminpc1 !adminpc2 It pretty much stops all streaming video. The only hole that there is is due to the transparent proxy and the fact that it has to let through https unfiltered. Luckily I've not found any sites that use https yet that I want to block... It doesn't block all ads either but it does get most of the ones from the sites I look at ;) These rules have changed my bandwidth usage from nearly 100% saturation to a much more reasonable 25-40%. Hope this might be of interest to someone. Oh yeah, one last thing. To stop IE6/IE7 from throwing a strop and putting stupid errors in pages, replace the file: /usr/local/share/ squid/errors/English/ERR_ACCESS_DENIED with: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd";> <html> <body> <!-- Generated %T by %h (%s) --> <!-- abcdefghijklmnopqrstuvwxyz12345678 --> <!-- abcdefghijklmnopqrstuvwxyz12345678 --> <!-- abcdefghijklmnopqrstuvwxyz12345678 --> <!-- abcdefghijklmnopqrstuvwxyz12345678 --> <!-- abcdefghijklmnopqrstuvwxyz12345678 --> <!-- abcdefghijklmnopqrstuvwxyz12345678 --> <!-- abcdefghijklmnopqrstuvwxyz12345678 --> <!-- abcdefghijklmnopqrstuvwxyz12345678 --> <!-- abcdefghijklmnopqrstuvwxyz12345678 --> <!-- abcdefghijklmnopqrstuvwxyz12345678 --> <!-- abcdefghijklmnopqrstuvwxyz12345678 --> <!-- abcdefghijklmnopqrstuvwxyz12345678 --> <!-- abcdefghijklmnopqrstuvwxyz12345678 --> <!-- abcdefghijklmnopqrstuvwxyz12345678 --> <!-- abcdefghijklmnopqrstuvwxyz12345678 --> </body> </html> I think I might have gone a bit overboard with this reply.... ah well. To answer the original email you could also just us a standard pf block command. Cheers - Nick On 18 Apr 2007, at 08:13, Siju George wrote: > On 4/18/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >> I run an openbsd firewall. I want to block certain sites either >> by IP >> address or by domain name. How do I get more information on how >> to set >> this up? >> > > I use Squid Cache proxy because you can Block by URLs URL regular > expression, users , computers etc. thesre are lots of Re-director > Programs that provide more functionality if you are looking for more > than blocking By IP or Domain name > > http://www.squid-cache.org/related-software.html > > Squid is available both in packages and ports :-) > > kind Regards > > Siju
