Transparent proxy security hole



  • Hello, i have a problem with transparent proxy, i have two networks with transparent proxy enabled:
    LAN 192.168.0.0/24 & LAN2 172.17.0.0/16.
    In firewall rules, everything from LAN2 toward LAN is denied, but with transparent proxy, LAN2's users can reach LAN's web server.
    I know i can use blacklists in SquiGuard for deny acces to "192.168.0." but if a user, use a dns name, he can reach the server and we can't block that, a user can add in his host file "192.168.0.5 dsfdsfffffd" and use dsfdsfffffd to access the server on LAN….
    Also in firewall we can't block pfsense to access to something, i have tried "block 192.168.0.1:any to 192.168.0.5:80" or "block 127.0.0.1:any to 192.168.0.5:80" in LAN rules, but can't block...

    Thank for any help.


  • Rebel Alliance Developer Netgate

    Some people have gotten around a similar situation by using hand-coded rules, but I don't recall the specifics.

    Something along the lines of (in pseudocode): redirect all from <lan>to any (not <opt1>) port 80 to localhost port <squidport>.</squidport></opt1></lan>



  • A URL or pfsense's developper's topic? I found nothing in docs or
    FAQ.  ???
    Thank for any help.


  • Rebel Alliance Developer Netgate

    You might have a look at this thread:

    http://forum.pfsense.org/index.php/topic,6169.0.html



  • The problem is that Squid package bypass firewall rules:

    http://forum.pfsense.org/index.php/topic,14607.0.html



  • No, it doesn't.

    Firewall rules are inbound on interfaces.  Squid runs on the host hence if you can connect to it there are no rules to stop outbound access.  At no point are rules bypassed.  Your intentions might not be being met, but that's completely different.



  • @Cry:

    No, it doesn't.

    Firewall rules are inbound on interfaces.  Squid runs on the host hence if you can connect to it there are no rules to stop outbound access.  At no point are rules bypassed.  Your intentions might not be being met, but that's completely different.

    With these rules:
    case 'filter':
    foreach ($ifaces as $iface)
              $rules .= "# Setup squid pass rules for proxy\n";
              $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n";
    although i check "Do NOT proxy Private Address Space (RFC 1918)" and although i block acces in firewall rules, any computer can reach http server on denied aera…
    See http://forum.pfsense.org/index.php/topic,14607.0.html

    Thank



  • On 2.0 user rules are parsed before squid proxy rules or as you say squid does not bypass firewall rules.
    I cannot see this changing on 1.2 from my opinion.



  • @ermal:

    On 2.0 user rules are parsed before squid proxy rules or as you say squid does not bypass firewall rules.
    I cannot see this changing on 1.2 from my opinion.

    These lignes:
    case 'filter':
    foreach ($ifaces as $iface)
              $rules .= "# Setup squid pass rules for proxy\n";
              $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n";
    Are in squid.inc


Log in to reply