Firewall rules and squid



  • I have several ips that are in an alias called Blacklist, and I have rules setup on each of the interfaces to reject traffic from those ips.

    This works on all of the subnets except where squid is configured to act as a transparent proxy. On those interfaces, users can access websites on any ip that is blacklisted.

    Any suggestions?

    I'm aware that I can block ips from within squid, but that's not what I'm looking for.



  • Try unchecking the "Allow users on interface" box, then add each subnet that should be able to use the proxy to the 'Allowed Subnets' box.  I think this is still what you're talking about, as the subnets box relates to 'from' and the black/whitelist boxes are more like destinations.  Does non-http traffic still get blocked when originating from your 'blacklist' alias?



  • That did the trick!

    Here's the description of that checkbox:

    If this field is checked, the users connected to the interface selected in the 'Proxy interface' field will be allowed to use the proxy, i.e., there will be no need to add the interface's subnet to the list of allowed subnets. This is just a shortcut.

    Apparently it is not just a shortcut.



  • Correction: after unchecking "allow users on interface" and listing the subnets in "allow subnets", no traffic actually goes through the proxy server. The squid logs are completely empty.



  • @JustinHoMi:

    Correction: after unchecking "allow users on interface" and listing the subnets in "allow subnets", no traffic actually goes through the proxy server. The squid logs are completely empty.

    Hi Yes same situation here any ideas ?



  • Do you still see the effects of your white/black lists/allowed subnets etc.?  If so, squid is working, just perhaps not logging or logging to a different location.



  • No, they do not work. This would also explain why the bandwidth throttling wasn't working a few days ago.

    Since no firewall rules are working over http, I'd consider this a very serious security concern!



  • Who is the squid maintainer? I'm alarmed that this hasn't been addressed.



  • Anybody?



  • I guess I don't see the big issue.  You say:

    Since no firewall rules are working over http, I'd consider this a very serious security concern!

    but our firewall rules work great.  If you are talking about outbound rules, the squid service needs to have open http access to the outside world to function properly.  I guess I just need something of an example for my own peace of mind…I reread all the posts here and just want to fully understand.



  • In summary, if you have a firewall rule that is blocking inbound/outbound access to a specific IP, then the rule will be ignored for port 80.

    Example security issue, using snort & squid:

    -You browse to a website that has a virus
    -Snort detects the virus and adds a firewall rule to block the IP
    -Snort rule is rendered ineffective due to squid bug
    -Client gets virus

    Of course, this issue is not isolated to snort.



  • The Alias only work on the red fields in the firewall rules.  squid being a module addedd to the base firewall does not recognize the aliases so you will have to manually input the ips from your alias into the banned ips field in the proxy server configuration.  Maybe we could ask the package maintainer to add recognition of aliases into the squid rules.

    Regarding the allowed subnets subject i have found the following by experimentation:

    There is a conflict with settings allowed subnets in the access control and the allow users on interfase option in general settings.  The way the squid.inc was coded if the allow users on interfase option is not checked then the allowed subnets are ignored.  If you take a look at the squid.conf file generated after a save you will see the acl allowed_subnets xxxxxx/mm line, that indicated that the acl rule was generated, but you wont find the corresponding http_access allow rule unless the user on interfase option is checked.

    In my view the two options should be separated, that is allowed subnets should generate is own http_access allow rule in squid.conf and not.  In our case for example, we have divided our LAN in several subnets, some of them have browsing rights, and other dont.  If we leave the allow user on interfase option checked then all users will have access.

    I have added code to the squid.inc file to separate the two options.  How do i submit that request for change?

    Regards,



  • The Alias only work on the red fields in the firewall rules.  squid being a module addedd to the base firewall does not recognize the aliases so you will have to manually input the ips from your alias into the banned ips field in the proxy server configuration.  Maybe we could ask the package maintainer to add recognition of aliases into the squid rules.

    I don't quite understand that. Shouldn't the firewall drop traffic before it ever gets to squid? Isn't that the purpose of the firewall, to inspect traffic before it gets to the application?

    It seems to me that it is more likely that the firewall rules added for transparent proxy operation are just at too high of a priority in the chain.

    That said, I'm not really familiar with pf… most of my experience is with iptables.



  • When you activate squid, its understood that squid will take care of all the traffic going to the proxy port (3128 as default for squid).  The order of daemons looking at network traffic is squid->pf.

    I understand your point of view that pf should look at the traffic incoming from the LAN and then pass it to the proxy. But this will put the proxy looking at the wan interface directly and not protected.  No packet filtering (pf, ipTables) is built into the kernel as to intercept incoming traffic, pass it to an application and receive traffic from an application before sending it out to the wan. For that to happen you will have to incorporate the packet filter into the kernel or network card drivers.

    Again, the best bet will be to have the squid package developer modify the package so it can work with the firewall alias declarations so you can add them to the banned hosts list in the proxy configuration.



  • It seems like a bad idea to allow applications to take precedence over the firewall rules.

    If this is how pfsense works then I may change firewalls….



  • I think the bottom line is that none of us are really playing 'by the book' by running a proxy (or any other package/application) on the firewall.  The best idea is to separate into two (or more) boxes.



  • the purpose of a proxy is that you dont have to go out on the network.  Its a cache. So why pass a packet to the firewall if that packet will not go out because its being serverd from the cache?  the purpose of the firewall is to check packages that go in/out from/to the trusted to the non trusted network.

    did you change firewall?



  • **Same problem  :(

    if transparent proxy is active then cannot block port(80) for any Ip Group…

    Please help...**



  • Squid transparent rules have priority before user-defined firewall rules.
    You can use squid package options for managing http access.


Log in to reply