Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid blocking app's web socket to 127.0.0.1?

    Scheduled Pinned Locked Moved Cache/Proxy
    11 Posts 3 Posters 22.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AR15USR
      last edited by

      Bump..


      2.6.0-RELEASE

      1 Reply Last reply Reply Quote 0
      • A
        aGeekhere
        last edited by

        What are your firewall rules? Looks like it is getting blocked by a rule, are you forcing your router to be the DNS server? , does this program use a DNS server other then your server?

        Never Fear, A Geek is Here!

        1 Reply Last reply Reply Quote 0
        • A
          AR15USR
          last edited by

          Screenshots attached. I didn't add the block 80-443 rule because I have a machine that needs to bypass the proxy FYI.

          ScreenShot-07.png
          ScreenShot-06.png_thumb
          ScreenShot-06.png
          ScreenShot-05.png_thumb
          ScreenShot-05.png
          ScreenShot-04.png_thumb
          ScreenShot-04.png
          ScreenShot-03.png_thumb
          ScreenShot-02.png_thumb
          ScreenShot-02.png
          ScreenShot-01.png_thumb
          ScreenShot-03.png
          ScreenShot-01.png
          ScreenShot-07.png_thumb


          2.6.0-RELEASE

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            Depends on what squid mode you are using.

            transparent mode - then just add 127.0.0.1 to "bypass proxy for these destination IP"
            non-transparent mode - then add this IP address 127.0.0.1 to your PROXY.PAC file or configure your browser to bypass this destination IP address.

            1 Reply Last reply Reply Quote 0
            • A
              AR15USR
              last edited by

              @Nachtfalke:

              non-transparent mode - then add this IP address 127.0.0.1 to your PROXY.PAC file or configure your browser to bypass this destination IP address.

              What code exactly do I use for that?
              Here is what I currently have:

              function FindProxyForURL(url, host) 
              { 
                  if (isPlainHostName(host) ||
                      shExpMatch(host, "*.local") ||
                      isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
                      return "DIRECT";
              
                      if (isInNet(dnsResolve(host), "192.168.2.0",  "255.255.255.0" ))
                      { return "DIRECT"; }
              
                  return "PROXY 192.168.1.1:3128";
              } 
              

              2.6.0-RELEASE

              1 Reply Last reply Reply Quote 0
              • N
                Nachtfalke
                last edited by

                This could help:

                
                    if (isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
                        isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
                        isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
                        isInNet(dnsResolve(host), "169.254.0.0", "255.255.0.0") ||
                        isInNet(dnsResolve(host), "240.0.0.0", "240.0.0.0") ||
                        isInNet(dnsResolve(host), "127.0.0.0", "255.0.0.0"))
                    {
                    return "DIRECT";
                    }
                
                

                or

                
                    if (shExpMatch(host, "*.local") ||
                		shExpMatch(host, "*.localhost") ||
                		shExpMatch(host, "127.0.0.1"))
                    {
                    return "DIRECT";
                    }
                
                

                And I would always use this on top:

                
                // Normalize the URL for pattern macthing
                url = url.toLowerCase();
                host = host.toLowerCase();
                
                
                1 Reply Last reply Reply Quote 0
                • A
                  AR15USR
                  last edited by

                  @Nachtfalke:

                  This could help:

                  
                      if (isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
                          isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
                          isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
                          isInNet(dnsResolve(host), "169.254.0.0", "255.255.0.0") ||
                          isInNet(dnsResolve(host), "240.0.0.0", "240.0.0.0") ||
                          isInNet(dnsResolve(host), "127.0.0.0", "255.0.0.0"))
                      {
                      return "DIRECT";
                      }
                  
                  

                  or

                  
                      if (shExpMatch(host, "*.local") ||
                  		shExpMatch(host, "*.localhost") ||
                  		shExpMatch(host, "127.0.0.1"))
                      {
                      return "DIRECT";
                      }
                  
                  

                  And I would always use this on top:

                  
                  // Normalize the URL for pattern macthing
                  url = url.toLowerCase();
                  host = host.toLowerCase();
                  
                  

                  Thanks Nachtfalke, this seems to have worked. I don't see it in my Squid logs anymore. I still see it in the firewall logs but its not being blocked now..


                  2.6.0-RELEASE

                  1 Reply Last reply Reply Quote 0
                  • A
                    AR15USR
                    last edited by

                    OK, so its been a couple months and this is still working great except for the firewall log entries. They are taking up about 50% of my log at this point.  Do you know how to stop the logging of it?

                    Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:64605	  127.0.0.1:53	UDP
                    Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:64605	  127.0.0.1:53	UDP
                    Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:44799	  127.0.0.1:53	UDP
                    Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:44799	  127.0.0.1:53	UDP
                    Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:11717	  127.0.0.1:53	UDP
                    Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:11717	  127.0.0.1:53	UDP
                    Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:4938	  127.0.0.1:53	UDP
                    Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:4938	  127.0.0.1:53	UDP
                    Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:27865	  127.0.0.1:53	UDP
                    Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:27865	  127.0.0.1:53	UDP
                    Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:15276	  127.0.0.1:53	UDP
                    Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:15276	  127.0.0.1:53	UDP
                    Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:61394	  127.0.0.1:53	UDP
                    Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:61394	  127.0.0.1:53	UDP
                    Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:63615	  127.0.0.1:53	UDP
                    Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:63615	  127.0.0.1:53	UDP
                    Sep 2 05:45:02	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:58802	  127.0.0.1:53	UDP
                    Sep 2 05:45:02	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:58802	  127.0.0.1:53	UDP
                    Sep 2 05:45:02	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:1871	  127.0.0.1:53	UDP
                    Sep 2 05:45:02	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:1871	  127.0.0.1:53	UDP
                    

                    2.6.0-RELEASE

                    1 Reply Last reply Reply Quote 0
                    • N
                      Nachtfalke
                      last edited by

                      Status –> System Logs --> Settings
                      Dsiable "Log packets matched from the default pass rules put in the ruleset"

                      OR

                      Create a specific Firewall rule with destination "127.0.0.1" , action=allow and port=any and source=any and siable logging.
                      So traffic will match this specific rule and will be allowed but not logged.

                      1 Reply Last reply Reply Quote 0
                      • A
                        AR15USR
                        last edited by

                        @Nachtfalke:

                        Status –> System Logs --> Settings
                        Dsiable "Log packets matched from the default pass rules put in the ruleset"

                        OR

                        Create a specific Firewall rule with destination "127.0.0.1" , action=allow and port=any and source=any and siable logging.
                        So traffic will match this specific rule and will be allowed but not logged.

                        Well, your first suggestion stops all pass logging it seems. The second suggestion didn't work. I'm guessing since the traffic is on the lo0 interface?


                        2.6.0-RELEASE

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.