Firewall rules are not evaluated when squid is enabled?
-
hi,
i've read everything i could find about this, however i still dont understand why things are working as they are.
i'm running pfsense 2.6.0-RELEASE, with squid installed and enabled on LAN interface.
i created a simple LAN firewall rule to reject any traffic to port 80, and set firefox to use squid proxy in the browser settings.
i'm able to get to http websites with the rule enabled (neverssl.com for example).
when i configure firefox to 'no proxy', http traffic is rejected as i want it to be.
i read that it might be related to squid adding firewall rule for transparent http proxy option that is not visible in the gui, so i checked with pfctl -sr command, and i dont see any added/removed lines with this option enabled or not.
is this how it should work or am i missing something in my configuration?thanks,
Ofer -
@oferkes It's how it should work. You block tcp/80, people can't do direct and must go through the proxy. The proxy listens on tcp/3128 and it not affected by your LAN block.
-
@oferkes said in Firewall rules are not evaluated when squid is enabled?:
set firefox to use squid proxy in the browser settings.
If you specific set firefox to use proxy, then yeah as @KOM stated its WAD..
There are 2 different modes - one where proxy intercepts traffic, and one where proxy is explicit set in the browser.
Be it you set proxy in browser to say the squid port 3128 or it auto discovered that is different than a "transparent" proxy where browser doesn't know there is a proxy and the proxy says oh that is traffic I should proxy and it is intercepted.
Transparent can be problematic.. But either way if your goal is to use a proxy, but not allow access to some website, then you should block that access in proxy, and also block via direct access.
-
it is clear now, thank you both for the replies
