Squid port 3128 and Firewall Rules

JonathanLee

Hello fellow Netgate community members.

Can you please help? I have Squid running on ports 3128 and 3129 with custom enabled some splice some bump rules. I keep noticing a default Netgate deny all rule in my logs. I have even attempted to create a rule from 192.168.1.1 and 127.0.0.1 source port 3128 to any Lan device. However I keep seeing logs that it is blocked with or without the rule. WLAN = WIRELESS LAN destinations are lan devices.

Here is the logs I see

Screenshot 2023-10-21 at 11.11.50 AM.png

Now think this is the Squid proxy or Squid cache responding to requests, however why is it show as blocked?? Does the auto rule not include Squid? Leading to if I add a rule for this condition why does it never show states and continue to block it??

I think I have some small setting off, as it should approve the proxy to respond to client requests from the cache right?

Everything is working on the system, however the proxy logs show lots of miss for 127.0.0.1 so I think this is the cache being blocked automatically with or without ACLs set up to approve it.

JonathanLee

one more note, EZ rules are ignored and the condition continues too.

JonathanLee

Screenshot 2023-10-21 at 11.41.10 AM.png
2nd rule did nothing to resolve this

JonathanLee

this was also tested

Screenshot 2023-10-21 at 11.39.55 AM.png

JonathanLee

this was also tested

Screenshot 2023-10-21 at 11.42.21 AM.png

mcury

@JonathanLee If that is not a TCP:S, it should be an out of state connection.
Could be asymmetric route but I don't think that is the case.

All you need is to allow clients to connect to their gateway IP address (pfsense), on port 3128.

Port 3128 will handle SSL connections too. I don't remember ever having to use port 3129.

JonathanLee

@mcury I wonder why it keeps doing it, it does it for every single lan device in the logs all day. But everything is working on the user end.

JonathanLee

@mcury I even have any flag set for all the rules tested

Screenshot 2023-10-21 at 11.45.20 AM.png

JonathanLee

@mcury Maybe they are my URL blocks that still try to connect?

mcury

@JonathanLee Leave only one rule, clients to default gateway, TCP port 3128.
Leave this rule with default settings.

Try this:

There, where you see Firewall Optimization Options, change to conservative.

Note that this option will increase memory usage of the firewall.

mcury

@JonathanLee said in Squid port 3128 and Firewall Rules:

Maybe they are my URL blocks that still try to connect?

I can't see how could be that.

JonathanLee

@mcury Done set it back to how I had it.

Screenshot 2023-10-21 at 11.52.33 AM.png

Rules normalized

Screenshot 2023-10-21 at 11.51.48 AM.png

Changed to conservative optimization

mcury

@JonathanLee said in Squid port 3128 and Firewall Rules:

Changed to conservative optimization

I think that will do it..

JonathanLee

Screenshot 2023-10-21 at 11.54.31 AM.png

Dang still blocks

Screenshot 2023-10-21 at 11.55.25 AM.png

JonathanLee

@mcury any other ideas?

mcury

@JonathanLee Its blocking out connections, from pfsense to the host, with a default deny ipv4 rule?

Check with cat /tmp/rules.debug in the shell, search for that rule.

Do you have any floating rules ?

JonathanLee

@mcury Yes I have floating rules for traffic shaping

Screenshot 2023-10-21 at 12.04.45 PM.png

JonathanLee

@mcury said in Squid port 3128 and Firewall Rules:

cat /tmp/rules.debug

Screenshot 2023-10-21 at 12.06.25 PM.png

Rule

mcury

@JonathanLee

# default deny rules
#---------------------------------------------------------------------------
block in log inet all ridentifier 1000000103 label "Default deny rule IPv4"
block out log inet all ridentifier 1000000104 label "Default deny rule IPv4"

I suppose you have transparent proxy also enabled ? For systems that can't set a proxy by hand ?
If that is the case, disable transparent proxy for one second to see if it is not related to the rdr pass you have up there

JonathanLee

@mcury Yes I do have both, my XBOX uses the transparent side