Apply firewall rules on squid



  • Hi,

    I hope somebody can help me with the following puzzle. I'm quite new to squid, so I'm probably asking something stupid. However half a day of googling and searching this forum didn't resolve it.

    I installed Squid on my PFSense appliance. All works well, however when using the proxy firewall rules are bypassed.

    I would like to use squid, however I would like to filter as well. Is there a way to make squid behave more like a normal client. Make it eg. use an interface so you I can firewall that interface? Or another way to apply firewall rules?

    Thanks,

    Mark



  • Squid shouldn't bypass the firewall as it is a separate package.  We use the two in tandem on all of our installations without problems.  Can you give examples as to what makes it appear to be doing that?



  • Hi Stewart,

    Thanks for your reply. And great to learn I can use Squid in conjunction with firewall ruling.

    I have squid on my PFSense box running on my server vlan interface. I configured proxy in browser : 192.168.20.1 port 3128.
    All works well.

    Now without proxy I just disabled a simple firewall rule allowing access to a webhosting control panel on port 2222. With this rule disabled I cannot access the control panel.

    The moment I enable the proxy in my browser I am able to access the control panel. So squid is ignoring all rules set on the Server VLAN interface.

    Squid realtime log:

    Date IP Status Address User Destination
    23.03.2017 11:46:24 192.168.20.18 TCP_REFRESH_MODIFIED/200 http://5.xx.xx.125:2222/favicon.ico - 5.xx.xx.125
    23.03.2017 11:46:24 192.168.20.18 TCP_REFRESH_MODIFIED/200 http://5.xx.xx.125:2222/images/pass0input.gif - 5.xx.xx.125
    23.03.2017 11:46:24 192.168.20.18 TCP_REFRESH_MODIFIED/200 http://5.xx.xx.125:2222/images/user0inout.gif - 5.xx.xx.125
    23.03.2017 11:46:24 192.168.20.18 TCP_REFRESH_MODIFIED/200 http://5.xx.xx.125:2222/images/bg0main.gif - 5.xx.xx.125
    23.03.2017 11:46:24 192.168.20.18 TCP_REFRESH_MODIFIED/200 http://5.xx.xx.125:2222/images/login0bt.gif - 5.xx.xx.125
    23.03.2017 11:46:24 192.168.20.18 TCP_REFRESH_MODIFIED/200 http://5.xx.xx.125:2222/images/logo.gif - 5.xx.xx.125

    Probably Squid isn't running on that interface, hence my question. How can I make Squid respect my firewall rules, or just configure firewall rules on it is fine with me as well.

    Thanks

    Mark



  • Or do I need squidguard to acchieve filtering on squid proxy?