• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Squid port 3128 and Firewall Rules

Firewalling
squid firewall rules default deny acl lan
2
27
4.4k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mcury @JonathanLee
    last edited by Oct 21, 2023, 6:51 PM

    @JonathanLee said in Squid port 3128 and Firewall Rules:

    Maybe they are my URL blocks that still try to connect?

    I can't see how could be that.

    dead on arrival, nowhere to be found.

    1 Reply Last reply Reply Quote 0
    • J
      JonathanLee @mcury
      last edited by Oct 21, 2023, 6:53 PM

      @mcury Done set it back to how I had it.

      login-to-view

      Rules normalized

      login-to-view

      Changed to conservative optimization

      Make sure to upvote

      M 1 Reply Last reply Oct 21, 2023, 6:54 PM Reply Quote 1
      • M
        mcury @JonathanLee
        last edited by Oct 21, 2023, 6:54 PM

        @JonathanLee said in Squid port 3128 and Firewall Rules:

        Changed to conservative optimization

        I think that will do it..

        dead on arrival, nowhere to be found.

        J 1 Reply Last reply Oct 21, 2023, 6:57 PM Reply Quote 0
        • J
          JonathanLee
          last edited by JonathanLee Oct 21, 2023, 6:55 PM Oct 21, 2023, 6:55 PM

          login-to-view

          Dang still blocks

          login-to-view

          Make sure to upvote

          M 1 Reply Last reply Oct 21, 2023, 6:59 PM Reply Quote 0
          • J
            JonathanLee @mcury
            last edited by Oct 21, 2023, 6:57 PM

            @mcury any other ideas?

            Make sure to upvote

            1 Reply Last reply Reply Quote 0
            • M
              mcury @JonathanLee
              last edited by mcury Oct 21, 2023, 7:01 PM Oct 21, 2023, 6:59 PM

              @JonathanLee Its blocking out connections, from pfsense to the host, with a default deny ipv4 rule?

              Check with cat /tmp/rules.debug in the shell, search for that rule.

              Do you have any floating rules ?

              dead on arrival, nowhere to be found.

              J 2 Replies Last reply Oct 21, 2023, 7:04 PM Reply Quote 0
              • J
                JonathanLee @mcury
                last edited by JonathanLee Oct 21, 2023, 7:05 PM Oct 21, 2023, 7:04 PM

                @mcury Yes I have floating rules for traffic shaping

                login-to-view

                Make sure to upvote

                1 Reply Last reply Reply Quote 0
                • J
                  JonathanLee @mcury
                  last edited by Oct 21, 2023, 7:06 PM

                  @mcury said in Squid port 3128 and Firewall Rules:

                  cat /tmp/rules.debug

                  login-to-view

                  Rule

                  Make sure to upvote

                  M 1 Reply Last reply Oct 21, 2023, 7:08 PM Reply Quote 0
                  • M
                    mcury @JonathanLee
                    last edited by mcury Oct 21, 2023, 7:15 PM Oct 21, 2023, 7:08 PM

                    @JonathanLee

                    # default deny rules
                    #---------------------------------------------------------------------------
                    block in log inet all ridentifier 1000000103 label "Default deny rule IPv4"
                    block out log inet all ridentifier 1000000104 label "Default deny rule IPv4"
                    

                    I suppose you have transparent proxy also enabled ? For systems that can't set a proxy by hand ?
                    If that is the case, disable transparent proxy for one second to see if it is not related to the rdr pass you have up there

                    dead on arrival, nowhere to be found.

                    J 1 Reply Last reply Oct 21, 2023, 7:24 PM Reply Quote 1
                    • J
                      JonathanLee @mcury
                      last edited by Oct 21, 2023, 7:24 PM

                      @mcury Yes I do have both, my XBOX uses the transparent side

                      Make sure to upvote

                      M 1 Reply Last reply Oct 21, 2023, 7:29 PM Reply Quote 0
                      • M
                        mcury @JonathanLee
                        last edited by Oct 21, 2023, 7:29 PM

                        @JonathanLee said in Squid port 3128 and Firewall Rules:

                        @mcury Yes I do have both, my XBOX uses the transparent side

                        Have you bypassed all other hosts that don't need transparent proxy in the Squid settings ?

                        Disable transparent proxy for one sec and test.

                        If it works, enable it again and try to bypass clients that are pointing to the proxy (explicit) in the transparent settings.

                        dead on arrival, nowhere to be found.

                        J 2 Replies Last reply Oct 21, 2023, 7:38 PM Reply Quote 1
                        • J
                          JonathanLee @mcury
                          last edited by Oct 21, 2023, 7:38 PM

                          @mcury How do you bypass for example one host like 192.168.1.17 from the SSL intercept but still make it use the the transparent proxy?

                          Make sure to upvote

                          M 1 Reply Last reply Oct 21, 2023, 7:41 PM Reply Quote 0
                          • M
                            mcury @JonathanLee
                            last edited by mcury Oct 21, 2023, 7:43 PM Oct 21, 2023, 7:41 PM

                            @JonathanLee said in Squid port 3128 and Firewall Rules:

                            How do you bypass for example one host like 192.168.1.17 from the SSL intercept but still make it use the the transparent proxy?

                            1- Disable transparent proxy
                            2- You would have to create the transparent NAT manually, using a ! in the source, with that IP address.
                            3- That NAT would have to redirect outbound TCP 443 connections to 127.0.0.1 3128.

                            Test like that, if doesn't work, try to change the port in the 3rd step to 3129.

                            I think that will do it.
                            login-to-view

                            Note that you would also need to create one for port 80.

                            dead on arrival, nowhere to be found.

                            1 Reply Last reply Reply Quote 1
                            • J
                              JonathanLee @mcury
                              last edited by Oct 21, 2023, 7:54 PM

                              @mcury Thanks!!!! that helps a lot I no longer see double requests for everything and it all still works!!! The XBOX uses transparent and UpNp and all the devices that know about the proxy don't need the transparent!!! YES!!!

                              Make sure to upvote

                              M 1 Reply Last reply Oct 21, 2023, 7:55 PM Reply Quote 1
                              • M
                                mcury @JonathanLee
                                last edited by Oct 21, 2023, 7:55 PM

                                @JonathanLee said in Squid port 3128 and Firewall Rules:

                                @mcury Thanks!!!! that helps a lot I no longer see double requests for everything and it all still works!!! The XBOX uses transparent and UpNp and all the devices that know about the proxy don't need the transparent!!! YES!!!

                                Oh, good to hear that :)

                                dead on arrival, nowhere to be found.

                                J 1 Reply Last reply Oct 21, 2023, 8:07 PM Reply Quote 0
                                • J
                                  JonathanLee @mcury
                                  last edited by Oct 21, 2023, 8:07 PM

                                  @mcury

                                  Thanks all I see is WAN blocks now !! YES!!! THANK YOU

                                  login-to-view

                                  Make sure to upvote

                                  1 Reply Last reply Reply Quote 1
                                  • J
                                    JonathanLee
                                    last edited by Jan 12, 2025, 5:00 PM

                                    Could it be set flags SYN ACK ? and or state type keep or sloppy ?

                                    Make sure to upvote

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.