http 80 always allowed



  • Hello,

    I'm using Squid Transparent HTTP Proxy on 2.4.4_1
    HTTPS/SSL Interception is disabled.
    IPv4 only network.

    DHCP doesn't run on pfSense and it points clients to a simple proxy.pac / wpad.dat file (also served independently) containing:

    function FindProxyForURL(url,host)
    {
    return "PROXY proxy:3128";
    }
    

    With browser or OS proxy settings autodetection everything is working as expected.
    Clients can browse 80, 443 and 8000-8999 range.
    Traffic shows up in Squid reports on pfSense:

    telnet portquiz.net 80
    Trying 5.196.70.86...
    Connected to portquiz.net.
    Escape character is '^]'.
    
    telnet portquiz.net 443
    Trying 5.196.70.86...
    Connected to portquiz.net.
    Escape character is '^]'.
    
    telnet portquiz.net 8080
    Trying 5.196.70.86...
    Connected to portquiz.net.
    Escape character is '^]'.
    

    Now I want a situation where no above mentioned traffic goes through unless proxy settings are specified.

    My attempts so far:

    1. I've set clients to "no proxy", disabled proxy autodetection and left proxy.pac / wpad.dat empty. Traffic to 443 is blocked but 80 and 8000-8999 still goes through:
    telnet portquiz.net 80
    Trying 5.196.70.86...
    Connected to portquiz.net.
    Escape character is '^]'.
    
    telnet portquiz.net 443
    Trying 5.196.70.86...
    telnet: Unable to connect to remote host: Connection refused
    
    telnet portquiz.net 8080
    Trying 5.196.70.86...
    Connected to portquiz.net.
    Escape character is '^]'.
    
    1. In addition to the above I added a rule to LAN rejecting all outgoing TCP IPv4 traffic from LAN net to all destinations on ports 80, 443 and 8000-8999. The only difference it has made is 8000-8999 range. Traffic on 80 still goes through!
    telnet portquiz.net 80
    Trying 5.196.70.86...
    Connected to portquiz.net.
    Escape character is '^]'.
    
    telnet portquiz.net 443
    Trying 5.196.70.86...
    telnet: Unable to connect to remote host: Connection refused
    
    telnet portquiz.net 8080
    Trying 5.196.70.86...
    telnet: Unable to connect to remote host: Connection refused
    

    Is the rule being silently overwritten by Squid always allowing 80?
    Something like anti-lockout rule for firewall access?
    How do I block outgoing 80 traffic?

    I'd like to prevent clients from accessing any web ports unless they have proxy configured.
    I'll be using multiple proxies later and want to be able to switch between them.

    Please advise.

    Thanks,
    Adam