Transparent proxy security hole

itsmorefun · Feb 28, 2009, 10:18 AM

Hello, i have a problem with transparent proxy, i have two networks with transparent proxy enabled:
LAN 192.168.0.0/24 & LAN2 172.17.0.0/16.
In firewall rules, everything from LAN2 toward LAN is denied, but with transparent proxy, LAN2's users can reach LAN's web server.
I know i can use blacklists in SquiGuard for deny acces to "192.168.0." but if a user, use a dns name, he can reach the server and we can't block that, a user can add in his host file "192.168.0.5 dsfdsfffffd" and use dsfdsfffffd to access the server on LAN….
Also in firewall we can't block pfsense to access to something, i have tried "block 192.168.0.1:any to 192.168.0.5:80" or "block 127.0.0.1:any to 192.168.0.5:80" in LAN rules, but can't block...

Thank for any help.

jimp · Feb 28, 2009, 4:03 PM

Some people have gotten around a similar situation by using hand-coded rules, but I don't recall the specifics.

Something along the lines of (in pseudocode): redirect all from <lan>to any (not <opt1>) port 80 to localhost port <squidport>.</squidport></opt1></lan>

itsmorefun · Feb 28, 2009, 5:13 PM

A URL or pfsense's developper's topic? I found nothing in docs or
FAQ. ???
Thank for any help.

jimp · Feb 28, 2009, 9:38 PM

You might have a look at this thread:

http://forum.pfsense.org/index.php/topic,6169.0.html

itsmorefun · Mar 1, 2009, 10:45 AM

The problem is that Squid package bypass firewall rules:

http://forum.pfsense.org/index.php/topic,14607.0.html

Cry Havok · Mar 1, 2009, 6:16 PM

No, it doesn't.

Firewall rules are inbound on interfaces. Squid runs on the host hence if you can connect to it there are no rules to stop outbound access. At no point are rules bypassed. Your intentions might not be being met, but that's completely different.

itsmorefun · Mar 1, 2009, 7:47 PM

@Cry:

No, it doesn't.

Firewall rules are inbound on interfaces. Squid runs on the host hence if you can connect to it there are no rules to stop outbound access. At no point are rules bypassed. Your intentions might not be being met, but that's completely different.

With these rules:
case 'filter':
foreach ($ifaces as $iface)
$rules .= "# Setup squid pass rules for proxy\n";
$rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n";
although i check "Do NOT proxy Private Address Space (RFC 1918)" and although i block acces in firewall rules, any computer can reach http server on denied aera…
See http://forum.pfsense.org/index.php/topic,14607.0.html

Thank

eri-- · Mar 1, 2009, 11:22 PM

On 2.0 user rules are parsed before squid proxy rules or as you say squid does not bypass firewall rules.
I cannot see this changing on 1.2 from my opinion.

itsmorefun · Mar 2, 2009, 5:43 AM

@ermal:

On 2.0 user rules are parsed before squid proxy rules or as you say squid does not bypass firewall rules.
I cannot see this changing on 1.2 from my opinion.

These lignes:
case 'filter':
foreach ($ifaces as $iface)
$rules .= "# Setup squid pass rules for proxy\n";
$rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n";
Are in squid.inc