WPAD Block Port 80 Rule is blocking all of my traffic
-
It might be worth mentioning that when I manually input proxy settings and use the eicar test files clamAV works on http but NOT on http/s.
Before, when WPAD was working eicar worked on both.
-
Looks like you've done most of the troubleshooting.
I can download all three proxy files from my browser if I type in the address in the ip:port/filename.filetype
The proxy files appear to be the same as they were when they were working.
WPAD is working.
If I manually configure the proxy on a computer then the internet works again and going to lagado proxy check shows my traffic going through my squid proxy.
Squid is working, but you might want to mask the fact you're using a proxy by deleting the X-Forwarded header, disable the Via header and suppress the squid version.
My firewall log is full of blocks by the WPAD block port 80 rule though. I don't know why it started blocking all access all of the sudden?
This should be the case, minus the logging. When you are enforcing use of a proxy, you want to block off ports 80 and 443 so that smart users can't just go around the proxy. You don't want to log that much noise though, so you would disable the logging aspect of that rule.
It might be worth mentioning that when I manually input proxy settings and use the eicar test files clamAV works on http but NOT on http/s.
Strange. In explicit mode, if it's working then it's working. Usually working HTTP and broken HTTPS are a sign of a misconfigured squid in transparent mode.
Anything in cache.log (Services - Squid - Realtime)?
-
Is there a performance advantage to masking the fact that I'm using a proxy? I'm not worried about anyone attempting to bypass the proxy or being offput by its presence, I'm really looking for a proxy that functions in the background with minimal upkeep.
I'll go ahead and disable the logging. I only turned it on because I thought that rule was the problem.
I'll check cache log and post back momentarily.
Thank you very much for your response and input, I really appreciate and need the help!
-
Is there a performance advantage to masking the fact that I'm using a proxy?
None, but some sites can give you problems if they detect you're using a proxy server. It still works the same for you and they don't need to know, so I always mask it.
You say it doesn't work for HTTPS. Is there a specific error or behaviour?
-
I'm thinking I'm messing something up with my rules. I noticed that pfBlockerNG kept pushing its rules back to the top even if I moved my pass rules up top saved and applied. So I went into pfBlockerNG and changed to rule order to put pass rules up top.
I posted screenshots of my LAN rules and my autoconfigured pfBNG NAT port forwarding rules. Are those port forwards redirecting my port 80 traffic to those ports instead of 3128? If so how should I fix this so both squid & pfBNG work?
I also posted the squid cache table, that looks weird too. It's blank with a bunch of erroneous dates. Maybe it's because it hasn't logged anything since my last reboot/recover from backup since squid is being bypassed?
For a little more detail, when I go to my LAN connection settings on a computer and switch it to manual config proxy and connect back to the internet (with WPAD reject port 80 rule enabled or disabled), the first page I open says "downloading proxy script" for awhile, then loads the page if the reject port 80 rule is off and fails if the reject port rule is on. It will download the proxy script again if I switch from manual configuration back to auto configure.
Another general question that I have about WPAD. Once I get this back up and running again with port 80 rejected, if I reboot/recover pfsense and/or reset the state table will I have to reopen port 80 for the WPAD configuration file to be redistributed to all of the clients? I'm thinking no but I read something like that?
Thank you again for your time and help!
 -
Just looking at my rules here I thought to change them up a bit and changed the source on a couple rules to my LAN net. Problem is still there though.
In this screenshot you can see that the reject 80 rule is disabled so that I can access the internet.
 -
@KOM:
Is there a performance advantage to masking the fact that I'm using a proxy?
None, but some sites can give you problems if they detect you're using a proxy server. It still works the same for you and they don't need to know, so I always mask it.
You say it doesn't work for HTTPS. Is there a specific error or behaviour?
Thanks for that, once I get this back up and running I'll try masking the proxy!
And I don't see any errors for eicar in that instance. When I try to download the http test file, clamAV blocks it with the warning message, when I try to download the http/s file, it downloads successfully with no warning message.
-
…And I don't see any errors for eicar in that instance. When I try to download the http test file, clamAV blocks it with the warning message, when I try to download the http/s file, it downloads successfully with no warning message.
As I understand it that is correct behavior if you are not using MITM..
-
MitM should only be required if running a transparent proxy. I'm running an explicit proxy so it should filter http & http/s without any additional configuration. And it was working that way successfully for awhile but stopped working, I just don't know why.
-
I would disable pfBlockerNG, Snort or any other packages that might affect you on this.
-
Unfortunately I have already tried that and nothing changes.
I changed up my firewall rules and disabled the allow LAN and anti lockout rules, added a floating block everything to everything rule then added a pass rule on LAN for ports I need open and simply didn't include 80 or 443 and did include 3218 in the rule. Now the internet works great without ports 80 or 443 (ran comprehensive nmap scan and they are indeed closed) but squid still doesn't show up on lagado, clamAV doesn't work and squid guard doesn't filter anything.
I really don't get it? Is squid just not working? The system shows that it is up and running.
-
Now the internet works great without ports 80 or 443 (ran comprehensive nmap scan and they are indeed closed)
Don't confuse WAN and LAN. Of course 80 and 443 will be blocked on WAN – that's normal. You want to block 80 and 443 on LAN to prevent people from not using the proxy.
Is squid just not working?
Probably. Playing with your firewall rules won't fix the actual base problem with squid. SSH in and run:
squid -k checkand see if your config file has any issues. Next, set a client to use the proxy and then run:
tail -f /var/squid/logs/access.logto view the realtime log while some web activity is happening.
-
OK will do soon and report back.
For the nmap WAN v LAN, I ran nmap from a computer on my LAN and pointed it towards my pfsense box so shouldn't it be showing me the open ports that my LAN can see? It did report only ports that I had specifically opened on my LAN.
-
OK, squid -k check returns nothing. I have no idea what this is doing or what I'm expecting to see here? I tried it with both manual configuring proxy and WPAD.
I attached two .txt files showing the tail -f results. One file is with squid automatically detecting WPAD and lagado reporting it as not working (not much in there), the other is with squid manually configured and squid showing working (quite a bit in there). I went to multiple websites both http & http/s in both instances and went to eicar and downloaded sample files. Browser still shows the same behavior with squid working, http eicar is blocked with a warning but http/s eicar is downloaded.
[squid log WPAD configure squid shows NOT WORKING.txt](/public/imported_attachments/1/squid log WPAD configure squid shows NOT WORKING.txt)
[squid log manual configure squid shows WORKING.txt](/public/imported_attachments/1/squid log manual configure squid shows WORKING.txt) -
According to your transparent logs, someone is trying to access http://192.168.1.1:22. This won't work with transparent mode. Transparent mode only supports intercepting ports 80 and 443. I think you can change that but it involves manually adding your own outbound NAT rules for every port you want to handle. Not fun.
You can see from the last 3-4 lines that it's working fine when you actually use a valid port.
-
The :22 lines are me SSHing in, it's actually not on port 22 but I replaced my actual SSH port with 22 so I wouldn't be posting my SSH port online.
And I'm not running squid in transparent mode, it's setup in explicit mode with WPAD to auto configure.
-
I replaced my actual SSH port with 22 so I wouldn't be posting my SSH port online.
Don't bother. If it's accessible via WAN then it's probably being port-scanned a 100 times a day anyway. Trust your security. If you're really paranoid then use 2-factor with a loin and certificate.
OK, sorry for the confusion with your logs.
squid -k check returns nothing. I have no idea what this is doing or what I'm expecting to see here?
Geez, my brain is off today. Try:
squid -k parseYou should get a long list of output. Look for warnings or errors.
Are you running WebGUI in HTTP or HTTPS mode? Is pfSense the web server serving your WPAD files?
-
OK thanks, the results for that are attached.
I switched the WebGUI to http for WPAD, and pfSense is the server for the WPAD files.
[squid -k parse results.txt](/public/imported_attachments/1/squid -k parse results.txt)
-
There appear to be no problems with your squid configuration, according to your output.
-
Could it be something wrong with the way pfSense is serving up the WPAD files? Or the way I have it setup?
The proxy.pac is located in "/usr/local/www/proxy.pac" and is linked to a wpad.dat & wpad.da file in the same directory.
They all contain the basic configuration:
function FindProxyForURL(url,host)
{
return "PROXY 192.168.1.1:3128";
}It seems weird to me that traffic doesn't show up on squid when a computer is setup to autoconfigure, but it does when I point the computer to the pfSense box manually?
It also seems weird that clamAV doesn't work on http/s but does on http with an explicit proxy.
