Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Firewall rules and external proxy servers – How to prevent bypassing squid?

    Firewalling
    3
    3
    5308
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jaybird last edited by

      Hi, I am running squid in transparent mode. It is listening on port 3128 of my pfSense-1.2.3-Router/Firewall-box at LAN-IP 192.168.1.1.

      I configured squidguard to deny access from my LAN clients to some shallalist-blacklisted internet sites. It works just fine.

      Now I am interested in some hints and advice regarding squid and content filtering related firewall rules.

      Is there a basic set of pfSense firewall rules that prevents bypassing my squid-proxy, that is, bypassing by manually configuring the clients' browsers to use external proxy servers, including those which use port 3128 (like my squid does too)?

      My aim here is to really force the lan clients to connect to squid for browsing the internet. Can it be done?

      How to setup the firewall via pfSense webGUI for this purpose…?

      I am not an expert in pfSense-firewalling, so I could use some detailed descriptions of any firewall rules which might be involved here. Thanks in advance.

      Regards,
      jaybird

      1 Reply Last reply Reply Quote 0
      • N
        nicolodeon last edited by

        As the OP states, this information would be useful, I suppose STF is the way forward.

        1 Reply Last reply Reply Quote 0
        • B
          Bern last edited by

          If you've got squid running in transparent mode, then the rules are applied AFTER the redirect takes place at the firewall - the same as incoming port forwarding.

          So you apply a rule that governs access to squid itself - see attached file.


          1 Reply Last reply Reply Quote 0
          • First post
            Last post