PFSense Originated Traffic
-
I've got PFSense configured with Squid and PFBlockerNG and in testing DNSBLs work well however the IPBLs don't seem to be affecting traffic originated by Squid; can anyone provide insight?
-
To be clear, I am seeing blocks for traffic coming in to the PFSense instance on the WAN interface; I'm also able to generate a block on an internal interface by pinging an address on the blacklist. However if I write a rule that drops traffic to a certain IP but then browse to that IP with Squid as my proxy the traffic is permitted and the site comes back.
-
pfSense is "stateful" and in pfSense's parlance, that means the *only time a rule is checked is when a new state is being created, and only on ingress. When a state is created, the state's pair is automatically created and is not checked against the rules. When Squid makes an outgoing connection, it is never checked against the interface's rules because it's an outgoing connection. But because the outgoing state is created, the incoming state is automatically created. When the response from the remote server comes back, there's already an existing state and the rules are ignored.
*you can use floating rules to block outgoing states from being created.
-
Thanks,
I've give floating rules a shot but I recall seeing the same behavior when testing with them earlier.
-
Floating rules definitely work but you have to pay attention to details, make sure the rules are marked as "quick" and apply to the correct direction which is out in your case.
-
Floating rules are working as desired, thanks!