WPAD Block Port 80 Rule is blocking all of my traffic
-
Just looking at my rules here I thought to change them up a bit and changed the source on a couple rules to my LAN net. Problem is still there though.
In this screenshot you can see that the reject 80 rule is disabled so that I can access the internet.
 -
@KOM:
Is there a performance advantage to masking the fact that I'm using a proxy?
None, but some sites can give you problems if they detect you're using a proxy server. It still works the same for you and they don't need to know, so I always mask it.
You say it doesn't work for HTTPS. Is there a specific error or behaviour?
Thanks for that, once I get this back up and running I'll try masking the proxy!
And I don't see any errors for eicar in that instance. When I try to download the http test file, clamAV blocks it with the warning message, when I try to download the http/s file, it downloads successfully with no warning message.
-
…And I don't see any errors for eicar in that instance. When I try to download the http test file, clamAV blocks it with the warning message, when I try to download the http/s file, it downloads successfully with no warning message.
As I understand it that is correct behavior if you are not using MITM..
-
MitM should only be required if running a transparent proxy. I'm running an explicit proxy so it should filter http & http/s without any additional configuration. And it was working that way successfully for awhile but stopped working, I just don't know why.
-
I would disable pfBlockerNG, Snort or any other packages that might affect you on this.
-
Unfortunately I have already tried that and nothing changes.
I changed up my firewall rules and disabled the allow LAN and anti lockout rules, added a floating block everything to everything rule then added a pass rule on LAN for ports I need open and simply didn't include 80 or 443 and did include 3218 in the rule. Now the internet works great without ports 80 or 443 (ran comprehensive nmap scan and they are indeed closed) but squid still doesn't show up on lagado, clamAV doesn't work and squid guard doesn't filter anything.
I really don't get it? Is squid just not working? The system shows that it is up and running.
-
Now the internet works great without ports 80 or 443 (ran comprehensive nmap scan and they are indeed closed)
Don't confuse WAN and LAN. Of course 80 and 443 will be blocked on WAN – that's normal. You want to block 80 and 443 on LAN to prevent people from not using the proxy.
Is squid just not working?
Probably. Playing with your firewall rules won't fix the actual base problem with squid. SSH in and run:
squid -k checkand see if your config file has any issues. Next, set a client to use the proxy and then run:
tail -f /var/squid/logs/access.logto view the realtime log while some web activity is happening.
-
OK will do soon and report back.
For the nmap WAN v LAN, I ran nmap from a computer on my LAN and pointed it towards my pfsense box so shouldn't it be showing me the open ports that my LAN can see? It did report only ports that I had specifically opened on my LAN.
-
OK, squid -k check returns nothing. I have no idea what this is doing or what I'm expecting to see here? I tried it with both manual configuring proxy and WPAD.
I attached two .txt files showing the tail -f results. One file is with squid automatically detecting WPAD and lagado reporting it as not working (not much in there), the other is with squid manually configured and squid showing working (quite a bit in there). I went to multiple websites both http & http/s in both instances and went to eicar and downloaded sample files. Browser still shows the same behavior with squid working, http eicar is blocked with a warning but http/s eicar is downloaded.
[squid log WPAD configure squid shows NOT WORKING.txt](/public/imported_attachments/1/squid log WPAD configure squid shows NOT WORKING.txt)
[squid log manual configure squid shows WORKING.txt](/public/imported_attachments/1/squid log manual configure squid shows WORKING.txt) -
According to your transparent logs, someone is trying to access http://192.168.1.1:22. This won't work with transparent mode. Transparent mode only supports intercepting ports 80 and 443. I think you can change that but it involves manually adding your own outbound NAT rules for every port you want to handle. Not fun.
You can see from the last 3-4 lines that it's working fine when you actually use a valid port.
-
The :22 lines are me SSHing in, it's actually not on port 22 but I replaced my actual SSH port with 22 so I wouldn't be posting my SSH port online.
And I'm not running squid in transparent mode, it's setup in explicit mode with WPAD to auto configure.
-
I replaced my actual SSH port with 22 so I wouldn't be posting my SSH port online.
Don't bother. If it's accessible via WAN then it's probably being port-scanned a 100 times a day anyway. Trust your security. If you're really paranoid then use 2-factor with a loin and certificate.
OK, sorry for the confusion with your logs.
squid -k check returns nothing. I have no idea what this is doing or what I'm expecting to see here?
Geez, my brain is off today. Try:
squid -k parseYou should get a long list of output. Look for warnings or errors.
Are you running WebGUI in HTTP or HTTPS mode? Is pfSense the web server serving your WPAD files?
-
OK thanks, the results for that are attached.
I switched the WebGUI to http for WPAD, and pfSense is the server for the WPAD files.
[squid -k parse results.txt](/public/imported_attachments/1/squid -k parse results.txt)
-
There appear to be no problems with your squid configuration, according to your output.
-
Could it be something wrong with the way pfSense is serving up the WPAD files? Or the way I have it setup?
The proxy.pac is located in "/usr/local/www/proxy.pac" and is linked to a wpad.dat & wpad.da file in the same directory.
They all contain the basic configuration:
function FindProxyForURL(url,host)
{
return "PROXY 192.168.1.1:3128";
}It seems weird to me that traffic doesn't show up on squid when a computer is setup to autoconfigure, but it does when I point the computer to the pfSense box manually?
It also seems weird that clamAV doesn't work on http/s but does on http with an explicit proxy.
-
Looks like you're doing everything right. I don't know why it doesn't work for you. I don't run AV on the firewall – too slow and I suspect the defs aren't as up to date as a commercial provider. Get ClamAV off the firewall and use a decent client AV package, if required.
-
I'll do that, it does allow things down. Right now I'm using it as an easy way to see if I'm under squids umbrella.
Do you know if there's any way for me to check pfsense's file server?
-
Do you know if there's any way for me to check pfsense's file server?
Eh, what?
Maybe this might be the issue?
http://kb.k12usa.com/Knowledgebase/Proxy-Auto-Detect-WPAD-Issues-With-IE-Windows-7
-
I'll look into that but I'm getting the same results across several OS's.
I was just wondering if there was a way for me to see what's happening when a client requests a WPAD or proxy file from the pfsense box.
-
I was just wondering if there was a way for me to see what's happening when a client requests a WPAD or proxy file from the pfsense box.
Go to console and look at /var/log/nginx.log and nginx-error.log.
