# How restrict to access to Internet for only one NAT user?



## cracker1985 (Feb 11, 2014)

Hello everyone,

How can *I* restrict only one NAT user to access Internet except some web site? For example: only for one user should be blocked every web site except domain.com*.* And where should the new code be pasted?

This is my pf.conf:

```
ext_if="em0"
ext_ip="x.x.x.x"
int_if="vr0"
sync_if="msk0"
vlan1000_if="vlan1000"
safe_ports="{ 53,8080,22,8140 }"
safe_nat_ports="{ 110,25,143,993,443,587,465,995,3000,389,21,20,53,161 }"
table <clients> persist file "/etc/clients.conf"

scrub in all
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from 192.168.99.128/25 to any port $safe_nat_ports -> $ext_if
nat on $ext_if from 12.0.0.0/21 to any port $safe_nat_ports -> $ext_if
nat on $ext_if from <clients> to any -> $ext_ip
anchor "ftp-proxy/*"

pass in all
block out quick on ext_if proto tcp to port 445
block out quick on ext_if proto udp to port 445
pass out all
antispoof quick for { lo $int_if }

# allow pfsync over the internal nics connected by a cross cable
pass quick on $sync_if proto pfsync
pass quick on $int_if proto carp
pass quick on $ext_if proto carp
pass quick on $vlan1000_if proto carp
#pass in quick on $ext_if proto tcp to ($ext_if) port 5631
pass in quick on $int_if proto tcp to 12.0.0.1 port 53
pass in quick on $int_if proto udp to 12.0.0.1 port 53
pass in quick on $int_if proto tcp to 12.0.0.1 port 8080
pass in quick on $int_if inet proto icmp all
pass in quick on $ext_if inet proto icmp all
pass in quick on $vlan1000_if inet proto icmp all
```


----------



## abishai (Feb 13, 2014)

*Re: How restrict to access to Internet for only one NAT user*

I think, proxy server is more suitable for such limitation and your pf.conf looks very strange....


----------



## ShelLuser (Feb 13, 2014)

*Re: How restrict to access to Internet for only one NAT user*

Just want to chime in with @abishai here. Setting up a NAT gateway won't suffice, because the best you can do is limit things on a per-IP address basis. But one computer can have multiple users, thus it would still allow people to access the Internet.

Another advantage is that a proxy server (my personal favourite being www/squid) also provides authentication schemes (usable on a per-user basis) but usually also filtering options. Which can sometimes also be linked to said authentication schemes. And that allows you to limit access to specific websites.


----------

