Squid Bypass Firewall rules!

itsmorefun

Hello,
I have a problem with Squid package, the parameter "Do NOT proxy Private Address Space (RFC 1918)" doesn't work well.
If I check-it data will not pass through the proxy, data will directly be forwarded to the destination BUT will not be blocked by firewall rules!

Same probleme with "Do NOT proxy these IPs" parameter. (no rdr on $iface proto tcp from { $exempt_ip } to any port 80)

I have open the file /tmp/rules.debug:
The problem is here:

Setup squid pass rules for proxy

pass in quick on vlan1 proto tcp from any to !(vlan1) port 80 flags S/SA keep state
pass in quick on vlan1 proto tcp from any to !(vlan1) port 3128 flags S/SA keep state

Setup squid pass rules for proxy

pass in quick on vlan2 proto tcp from any to !(vlan2) port 80 flags S/SA keep state
pass in quick on vlan2 proto tcp from any to !(vlan2) port 3128 flags S/SA keep state

Setup squid pass rules for proxy

pass in quick on vlan3 proto tcp from any to !(vlan3) port 80 flags S/SA keep state
pass in quick on vlan3 proto tcp from any to !(vlan3) port 3128 flags S/SA keep state

These rules are hard coded in /usr/local/pkg/squid.inc: :
case 'filter':
                foreach ($ifaces as $iface){
                        $rules .= "# Setup squid pass rules for proxy\n";
                        $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n";
                        $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n";
                        $rules .= "\n";
                        };
                break;

Why hard code theses rules?

Thank

itsmorefun

I suggest to developpers four things in /usr/local/pkg/squid.inc:

->add before "$conf = <<<eod":<br>$squid_conf = $config['installedpackages']['squid']['config'][0];
        if (!empty($squid_conf['defined_ip_proxy_off'])) {
                $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']);
                $exempt_ip = "";
                foreach ($defined_ip_proxy_off as $ip_proxy_off) {
                        if(!empty($ip_proxy_off)) {
                                $ip_proxy_off = trim($ip_proxy_off);
                                $exempt_ip .= "$ip_proxy_off/255.255.255.255 ";
                        }
                }
                $exempt_acl = "acl deniedhosts src $exempt_ip ";

}
        else $exempt_acl = "";

->add after "# Setup some default acls":
acl localdest dst 192.168.0.0/255.255.0.0 172.16.0.0/255.240.0.0 10.0.0.0/255.0.0.0
$exempt_acl

->add before "Allow local network(s) on interface(s)":
        if($settingsconfig['private_subnet_proxy_off'] == 'on') {
                        $conf .= "# Block acces to locals destinations\n";
                        $conf .= "http_access deny localdest\n";
        }
        if (!empty($settingsconfig['defined_ip_proxy_off'])) {
                        $conf .= "# Block acces from denied ip\n";
                        $conf .= "http_access deny deniedhosts\n";
        }

->remove or re-design:
        case 'filter':
                foreach ($ifaces as $iface){
                        $rules .= "# Setup squid pass rules for proxy\n";
                        $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n";
                        $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n";
                        $rules .= "\n";
                        };
                break;

What does you think?
Thank for all.</eod":<br>

trendchiller

Well, it's the intended behaviour…
perhaps it's labeled a little confusing...
the intended effect was to bypass the connections to these ips...
for example for ica-connection through vpn or else...

but i'll have a look at your suggestions...
thanks !

itsmorefun

There are two things:
First, if we want to bypass the proxy, we perhaps not want that all http packet be allowed hardly.
Second, the proxy must refuse to relay these packet if user
setup proxy in his browser.

thank you for having read my suggests :)

trendchiller

Hi !
We need a way to pass selected packets on destination port 80 thru the firewall and do not have them inspected by squid for some non-http-communication apps on port 80 (for example the xml-service from citrix).
I do not really see another way to do this… your suggestions do not provide a way to do this, because they do not pass the packets through the firewall..
Might it be that you mean the "Do not cache" option under "cache management" ?
This does not pass the packets thru the firewall but does not cache them...
Passing packets with non-standard-http-format will squid have them blocked (as with ica xml-service)
I will change the fields descriptions so that there will be no confusion about the function of these fields.

itsmorefun

@trendchiller:

your suggestions do not provide a way to do this, because they do not pass the packets through the firewall..

????????????
Paquets will always pass through the firewal, but with my suggestion it you that make the pass or block rules and not the squid package.

The "Do NOT proxy Private Address Space (RFC 1918)" mean that Squid have to not inspecte tcp packet to local server but without my suggestion you force firewall to accept paquets but may i not wan't packets go to some aera…

Please full read the code i suggest.

Thank

trendchiller

On 2.0 squid can be controlled with firewall rules now since user rules are evaluated before squid default pass quick all rules.
So there the problem is gone then :-)

In pfSense 1.2.x squid-rules are checked first before the other rules… so this is the problem that you cannot create any rules to pass traffic through the firewall before squid catches them ...