Egress filtering + squid gives me issues
-
Hi everyone,
Yesterday I wanted to install and run Squid transparent proxy. Download, install, setup was straightforward. Nice, thanks for that.
Problem is that my outbound filtering is giving me some issues. My setup:SOHO situation.
1 network: 192.168.1.0/24
lan => pfsense => internet
wlan => cisco ap => pfsense => internetMy wireless devices (tablet, phones) are encountering some issues. Apps not working properly, no music streaming, not able to go on Internet.
In my firewall logs I see the following: see image.192.168.1.102 is my AP. 3128 is that default port Squid is using. I could just make a rule allowing this traffic, but I also want to understand. And maybe my Squid config is wrong making it needless to tweak my firewall rules?
Squid config has been kept quite default. I enabled a few things like 'Squid proxy', 'Transparent HTTP proxy' and 'Access logging'. Didn't touched ACLs tab. I think that may be the problem?
As a work around I disabled egress filtering and everything is working fine.
Thanks for your help.
-
What do your firewall rules look like, since you mentioned egress? Or are you actually trying to apply rate limiters to limit bandwidth to clients?
-
My egress list is quite long. But I understand this can help for troubleshooting. Thing is that despite my egress rules, all worked just fine before installing Squid. I didn't changed my egress rules.
No limiters for the bandwidth. Why egress? Because I read on many places that it's not good enough to leave your firewall in default config (block everything coming from outside, let pass everything that's coming from the inside). In addition to this, it's good to learn things and to know your network. Don't hesitate to argue if I am wrong.
Meanwhile I set a rule for the blocked localhost traffic on port 3128 and activated egress filtering again. All seems to work, but I still don't know why this happened. If I can find out I'll update the post.
Screenshot is just a snippet of my egress rules (but an important part). If someone sees something really stupid, then please shout!
-
Curious, why would you allow DNS to the outside world when it should be your firewall performing DNS? This would block any machine that has been taken over with some form of a DNS Hijacker on it from getting to a rogue DNS. Maybe consider blocking it instead?
Also, I am pretty sure you will have to add 3128/80 to the LAN interface at a minimum since you aren't using default allow all rules. I never have actually gone as far as blocking all outgoing and whitelisting only specified ranges.
-
The DNS rule is there because I probably saw it blocked in my logs. In fact my pfSense is a 'forwarder'. My dns settings are set to use Opendns. And some machines use 8.8.8.8. So I need this rule right? Well lets test :-). I'll change it tonight (just disable the rule) and check if I got issues. If not, I'll leave it disabled.
For your second point, indeed, I also think this is needed. So I'll make the change too. Thanks for your help. -
I checked my own documentation again. About that DNS rule, I probably followed these topics:
https://forum.pfsense.org/index.php?topic=68812.msg376386#msg376386
https://www.brandenwilliams.com/blog/2010/05/06/what-egress-filters-should-i-use/ -
Update: Like I thought, disabling dns rule had an immediate impact on the network.
