Firewall rules and external proxy servers – How to prevent bypassing squid?



  • Hi, I am running squid in transparent mode. It is listening on port 3128 of my pfSense-1.2.3-Router/Firewall-box at LAN-IP 192.168.1.1.

    I configured squidguard to deny access from my LAN clients to some shallalist-blacklisted internet sites. It works just fine.

    Now I am interested in some hints and advice regarding squid and content filtering related firewall rules.

    Is there a basic set of pfSense firewall rules that prevents bypassing my squid-proxy, that is, bypassing by manually configuring the clients' browsers to use external proxy servers, including those which use port 3128 (like my squid does too)?

    My aim here is to really force the lan clients to connect to squid for browsing the internet. Can it be done?

    How to setup the firewall via pfSense webGUI for this purpose…?

    I am not an expert in pfSense-firewalling, so I could use some detailed descriptions of any firewall rules which might be involved here. Thanks in advance.

    Regards,
    jaybird



  • As the OP states, this information would be useful, I suppose STF is the way forward.



  • If you've got squid running in transparent mode, then the rules are applied AFTER the redirect takes place at the firewall - the same as incoming port forwarding.

    So you apply a rule that governs access to squid itself - see attached file.



Log in to reply