Squid (not transparent) bypasses firewall
-
System:
- pfSense 2.6.0
- LAN 192.168.1.0/24 (bridge0, openvpn tap and LAN interface)
- Squid is listening on LAN interface and port 3128
Problem:
Squid is accessible from LAN net though no explicit rule is in place. I would have expected to have to set a rule for clients to access squid. Just like i have to, if i want to access the pfSense web interface with the Anti Lockout rule disabled.If i enter pfctl -sr into the commandline, i can see two rules at the bottom:
pass in quick on bridge0 proto tcp from any to (bridge0) port = 3128 flags S/SA keep state pass in quick on bridge0 proto tcp from any to (bridge0) port = 3129 flags S/SA keep state
Where do they come from and how do i do restrict access to squid for specific IP addresses?
-
Just to clarify, was a bit unclear in my first post (but cannot edit it anymore):
System:
- pfSense 2.6.0 / APU2C4
- igb0: WAN
- igb1: LAN (no ip address and/or firewall rules associated)
- bridge0 (igb1 and OpenVPN tap): 192.168.1.1/24
- bridge0 has firewall rules for accessing the pfSense gui from bridge0-net
- Squid is listening on bridge0 / port 3128
Problem:
- Squid is accessible from the bridge0-net though no rule allowing that is in place.
- i have to set a rule to access the pfSense gui from bridge0-net though (and everything else for that matter)
If i enter pfctl -sr into the commandline, i can see two rules at the bottom:
pass in quick on bridge0 proto tcp from any to (bridge0) port = 3128 flags S/SA keep state pass in quick on bridge0 proto tcp from any to (bridge0) port = 3129 flags S/SA keep state
Where do they come from and how do i do restrict access to squid for specific IP addresses?
-
To answer my own question:
"Allow users on interface" in the "General" tab of squid is checked by default. If you remove that setting, you have to create rules to allow users to access the proxy server.I should have paid closer attention to the settings.