Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid port 3128 and Firewall Rules

    Scheduled Pinned Locked Moved Firewalling
    squidfirewall rulesdefault denyacllan
    27 Posts 2 Posters 8.4k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ Offline
      JonathanLee @mcury
      last edited by

      @mcury I wonder why it keeps doing it, it does it for every single lan device in the logs all day. But everything is working on the user end.

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      • JonathanLeeJ Offline
        JonathanLee @mcury
        last edited by

        @mcury I even have any flag set for all the rules tested

        Screenshot 2023-10-21 at 11.45.20 AM.png

        Make sure to upvote

        M 1 Reply Last reply Reply Quote 0
        • JonathanLeeJ Offline
          JonathanLee @mcury
          last edited by

          @mcury Maybe they are my URL blocks that still try to connect?

          Make sure to upvote

          M 1 Reply Last reply Reply Quote 0
          • M Offline
            mcury Rebel Alliance @JonathanLee
            last edited by

            @JonathanLee Leave only one rule, clients to default gateway, TCP port 3128.
            Leave this rule with default settings.

            Try this:

            a7333a87-54fd-4f1c-9ba4-ce1e61b399df-image.png

            There, where you see Firewall Optimization Options, change to conservative.

            Note that this option will increase memory usage of the firewall.

            dead on arrival, nowhere to be found.

            JonathanLeeJ 1 Reply Last reply Reply Quote 1
            • M Offline
              mcury Rebel Alliance @JonathanLee
              last edited by

              @JonathanLee said in Squid port 3128 and Firewall Rules:

              Maybe they are my URL blocks that still try to connect?

              I can't see how could be that.

              dead on arrival, nowhere to be found.

              1 Reply Last reply Reply Quote 0
              • JonathanLeeJ Offline
                JonathanLee @mcury
                last edited by

                @mcury Done set it back to how I had it.

                Screenshot 2023-10-21 at 11.52.33 AM.png

                Rules normalized

                Screenshot 2023-10-21 at 11.51.48 AM.png

                Changed to conservative optimization

                Make sure to upvote

                M 1 Reply Last reply Reply Quote 1
                • M Offline
                  mcury Rebel Alliance @JonathanLee
                  last edited by

                  @JonathanLee said in Squid port 3128 and Firewall Rules:

                  Changed to conservative optimization

                  I think that will do it..

                  dead on arrival, nowhere to be found.

                  JonathanLeeJ 1 Reply Last reply Reply Quote 0
                  • JonathanLeeJ Offline
                    JonathanLee
                    last edited by JonathanLee

                    Screenshot 2023-10-21 at 11.54.31 AM.png

                    Dang still blocks

                    Screenshot 2023-10-21 at 11.55.25 AM.png

                    Make sure to upvote

                    M 1 Reply Last reply Reply Quote 0
                    • JonathanLeeJ Offline
                      JonathanLee @mcury
                      last edited by

                      @mcury any other ideas?

                      Make sure to upvote

                      1 Reply Last reply Reply Quote 0
                      • M Offline
                        mcury Rebel Alliance @JonathanLee
                        last edited by mcury

                        @JonathanLee Its blocking out connections, from pfsense to the host, with a default deny ipv4 rule?

                        Check with cat /tmp/rules.debug in the shell, search for that rule.

                        Do you have any floating rules ?

                        dead on arrival, nowhere to be found.

                        JonathanLeeJ 2 Replies Last reply Reply Quote 0
                        • JonathanLeeJ Offline
                          JonathanLee @mcury
                          last edited by JonathanLee

                          @mcury Yes I have floating rules for traffic shaping

                          Screenshot 2023-10-21 at 12.04.45 PM.png

                          Make sure to upvote

                          1 Reply Last reply Reply Quote 0
                          • JonathanLeeJ Offline
                            JonathanLee @mcury
                            last edited by

                            @mcury said in Squid port 3128 and Firewall Rules:

                            cat /tmp/rules.debug

                            Screenshot 2023-10-21 at 12.06.25 PM.png

                            Rule

                            Make sure to upvote

                            M 1 Reply Last reply Reply Quote 0
                            • M Offline
                              mcury Rebel Alliance @JonathanLee
                              last edited by mcury

                              @JonathanLee

                              # default deny rules
                              #---------------------------------------------------------------------------
                              block in log inet all ridentifier 1000000103 label "Default deny rule IPv4"
                              block out log inet all ridentifier 1000000104 label "Default deny rule IPv4"
                              

                              I suppose you have transparent proxy also enabled ? For systems that can't set a proxy by hand ?
                              If that is the case, disable transparent proxy for one second to see if it is not related to the rdr pass you have up there

                              dead on arrival, nowhere to be found.

                              JonathanLeeJ 1 Reply Last reply Reply Quote 1
                              • JonathanLeeJ Offline
                                JonathanLee @mcury
                                last edited by

                                @mcury Yes I do have both, my XBOX uses the transparent side

                                Make sure to upvote

                                M 1 Reply Last reply Reply Quote 0
                                • M Offline
                                  mcury Rebel Alliance @JonathanLee
                                  last edited by

                                  @JonathanLee said in Squid port 3128 and Firewall Rules:

                                  @mcury Yes I do have both, my XBOX uses the transparent side

                                  Have you bypassed all other hosts that don't need transparent proxy in the Squid settings ?

                                  Disable transparent proxy for one sec and test.

                                  If it works, enable it again and try to bypass clients that are pointing to the proxy (explicit) in the transparent settings.

                                  dead on arrival, nowhere to be found.

                                  JonathanLeeJ 2 Replies Last reply Reply Quote 1
                                  • JonathanLeeJ Offline
                                    JonathanLee @mcury
                                    last edited by

                                    @mcury How do you bypass for example one host like 192.168.1.17 from the SSL intercept but still make it use the the transparent proxy?

                                    Make sure to upvote

                                    M 1 Reply Last reply Reply Quote 0
                                    • M Offline
                                      mcury Rebel Alliance @JonathanLee
                                      last edited by mcury

                                      @JonathanLee said in Squid port 3128 and Firewall Rules:

                                      How do you bypass for example one host like 192.168.1.17 from the SSL intercept but still make it use the the transparent proxy?

                                      1- Disable transparent proxy
                                      2- You would have to create the transparent NAT manually, using a ! in the source, with that IP address.
                                      3- That NAT would have to redirect outbound TCP 443 connections to 127.0.0.1 3128.

                                      Test like that, if doesn't work, try to change the port in the 3rd step to 3129.

                                      I think that will do it.
                                      95214dee-5a00-4b21-af44-733c5d20aa41-image.png

                                      Note that you would also need to create one for port 80.

                                      dead on arrival, nowhere to be found.

                                      1 Reply Last reply Reply Quote 1
                                      • JonathanLeeJ Offline
                                        JonathanLee @mcury
                                        last edited by

                                        @mcury Thanks!!!! that helps a lot I no longer see double requests for everything and it all still works!!! The XBOX uses transparent and UpNp and all the devices that know about the proxy don't need the transparent!!! YES!!!

                                        Make sure to upvote

                                        M 1 Reply Last reply Reply Quote 1
                                        • M Offline
                                          mcury Rebel Alliance @JonathanLee
                                          last edited by

                                          @JonathanLee said in Squid port 3128 and Firewall Rules:

                                          @mcury Thanks!!!! that helps a lot I no longer see double requests for everything and it all still works!!! The XBOX uses transparent and UpNp and all the devices that know about the proxy don't need the transparent!!! YES!!!

                                          Oh, good to hear that :)

                                          dead on arrival, nowhere to be found.

                                          JonathanLeeJ 1 Reply Last reply Reply Quote 0
                                          • JonathanLeeJ Offline
                                            JonathanLee @mcury
                                            last edited by

                                            @mcury

                                            Thanks all I see is WAN blocks now !! YES!!! THANK YOU

                                            Screenshot 2023-10-21 at 1.07.06 PM.png

                                            Make sure to upvote

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.