Bumping this as I am experiencing the exact same issue with the exact same behavior. I have even tried putting a transparent bypass for 127.0.0.1 as the source and destination, the hostname of the firewall, and the firewall's own public address as a source with no success.

@tinfoilmatt Here you go

https://forum.netgate.com/topic/195860/mnt-folder-question

To quote: @stephenw10

"Jan 6, 2025 at 5:43 AM I would still use a custom location to be sure. I can't find anything off hand but if would conflict with anything that did.

I'm pretty sure the efi partition is mounted there to test at upgrade for example."

Update: Set your SSH on the wpad to only allow access during business hours. This can be done with the PAM

edit the following file

/etc/security/time.conf

add:

sshd;*;*;AL0500-2300

Meaning I can only access ssh into my wpad durring 5-2300

After adapt /etc/ssh/sshd_config

make sure your listenaddress is the ip of the wpad set your AllowUsers to your login

Example

Port 8085 #change port if needed AddressFamily inet #ipv4 only ListenAddress 192.168.1.6 #address of wpad AllowUsers Jonathan@192.168.1.* # any device that is 192.168.1.X

Change

PermitRootLogin no #no ssh login for root UsePam yes # turn on pam for use with time restrictions

after adapt
/etc/passwd

for added security also change your login to use the shell rbash and lock down the wad.

Also if you use ipv6 and ipv4 you will have a race condition and sshd will not start on reboots you must also adapt

sudo -i systemctl edit --full sshd.service

under [unit] add

Requires=network-only.target After=network-only.taget

This will only start sshd once the network target is running in my example 192.168.1.6 I also have ipv6 running so it would cause issues unless I changed this. If you do not use ipv4 forget about this.

@michmoor
Yes, it works for them, unfortunately only there :(

@JonathanLee tls 1.3 has been used for quite some time.. Any time I bother to look at the connection to pretty much anything its tls 1.3.. This connection to the forums is using tls 1.3

ensi is dead but long live ech, that could be problematic I would bet..

But again I don't do any sort of mitm, its not good practice - I want my ssl/tls to be end to end.. As the internet gods intended it to be ;)

I have no need or desire to run a proxy.. If I want to block someting I would filter on IP or DNS.. Yes I block the bane of filtering doh and dot.

I run a reverse proxy, but not as a filtering method or as a way to do mitm.. But as a way to offload the ssl connection because the actual services have no ssl support at all, or are a pain to setup. These connections are tls 1.3.. And I don't even allow 1.2, if your not using 1.3 then your not accessing it. And use strict sni - so if you don't send the valid sni your not being proxied in either. This keeps rando port scanners from being able to actually get to the sites interface.

And I block most of the known scanners from talking to any of my forwards anyway, and only allow access into my forwards if your coming from US IP, etc.

So generation 2 proxy technology can help if its built right...

@lg1980 said in New Squid 6.7 and Clamav 1.3.0:

https://git.labexposed.com/lgcosta/gists/src/branch/main/squid-6x

Hi

I hope you are doing well.

I have reinstall pfsense OS ,i need to reconfigure squid Proxy, I am unable to download pakage from above github link.Can you share the new repo link.

@mcury I also had to disable some ethernet rules that all the sudden showed a lot of activity

Screenshot 2023-12-16 at 8.38.44 AM.png

Store ID program:

I am using the built in program attached here..
/usr/local/libexec/squid/storeid_file_rewrite

#!/usr/local/bin/perl use strict; use warnings; use Pod::Usage; =pod =head1 NAME storeid_file_rewrite - File based Store-ID helper for Squid =head1 SYNOPSIS storeid_file_rewrite filepath =head1 DESCRIPTION This program acts as a store_id helper program, rewriting URLs passed by Squid into storage-ids that can be used to achieve better caching for websites that use different URLs for the same content. It takes a text file with two tab separated columns. Column 1: Regular expression to match against the URL Column 2: Rewrite rule to generate a Store-ID Eg: ^http:\/\/[^\.]+\.dl\.sourceforge\.net\/(.*) http://dl.sourceforge.net.squid.internal/$1 Rewrite rules are matched in the same order as they appear in the rules file. So for best performance, sort it in order of frequency of occurrence. This program will automatically detect the existence of a concurrency channel-ID and adjust appropriately. It may be used with any value 0 or above for the store_id_children concurrency= parameter. =head1 OPTIONS The only command line parameter this helper takes is the regex rules file name. =head1 AUTHOR This program and documentation was written by I<Alan Mizrahi <alan@mizrahi.com.ve>> Based on prior work by I<Eliezer Croitoru <eliezer@ngtech.co.il>> =head1 COPYRIGHT * Copyright (C) 1996-2023 The Squid Software Foundation and contributors * * Squid software is distributed under GPLv2+ license and includes * contributions from numerous individuals and organizations. * Please see the COPYING and CONTRIBUTORS files for details. Copyright (C) 2013 Alan Mizrahi <alan@mizrahi.com.ve> Based on code from Eliezer Croitoru <eliezer@ngtech.co.il> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. =head1 QUESTIONS Questions on the usage of this program can be sent to the I<Squid Users mailing list <squid-users@lists.squid-cache.org>> =head1 REPORTING BUGS Bug reports need to be made in English. See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. Report bugs or bug fixes using http://bugs.squid-cache.org/ Report serious security bugs to I<Squid Bugs <squid-bugs@lists.squid-cache.org>> Report ideas for new improvements to the I<Squid Developers mailing list <squid-dev@lists.squid-cache.org>> =head1 SEE ALSO squid (8), GPL (7), The Squid wiki http://wiki.squid-cache.org/Features/StoreID The Squid Configuration Manual http://www.squid-cache.org/Doc/config/ =cut my @rules; # array of [regex, replacement string] die "Usage: $0 <rewrite-file>\n" unless $#ARGV == 0; # read config file open RULES, $ARGV[0] or die "Error opening $ARGV[0]: $!"; while (<RULES>) { chomp; next if /^\s*#?$/; if (/^\s*([^\t]+?)\s*\t+\s*([^\t]+?)\s*$/) { push(@rules, [qr/$1/, $2]); } else { print STDERR "$0: Parse error in $ARGV[0] (line $.)\n"; } } close RULES; $|=1; # read urls from squid and do the replacement URL: while (<STDIN>) { chomp; last if $_ eq 'quit'; my $channel = ""; if (s/^(\d+\s+)//o) { $channel = $1; } foreach my $rule (@rules) { if (my @match = /$rule->[0]/) { $_ = $rule->[1]; for (my $i=1; $i<=scalar(@match); $i++) { s/\$$i/$match[$i-1]/g; } print $channel, "OK store-id=$_\n"; next URL; } } print $channel, "ERR\n"; }

Could it be set flags SYN ACK ? and or state type keep or sloppy ?

@mcury Thanks for the information

@JonathanLee said in StoreID and Squid "helper program":

Does anyone work with Store ID?

Unfortunately no, I didn't.. splice all with cache disabled for me.
Squid/Squidguard was just to filter SNI header..

@jimp thanks for looking into this. I will use that URL for future items. I did not know about that other URL until today.

Добрый
@ao_kalachev
В баг-репорт смотрели ? Может там чего есть на эту тему.

@JonathanLee Thanks Jonathan!