Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    http 80 always allowed

    Cache/Proxy
    1
    1
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • adamwA
      adamw
      last edited by

      Hello,

      I'm using Squid Transparent HTTP Proxy on 2.4.4_1
      HTTPS/SSL Interception is disabled.
      IPv4 only network.

      DHCP doesn't run on pfSense and it points clients to a simple proxy.pac / wpad.dat file (also served independently) containing:

      function FindProxyForURL(url,host)
{
return "PROXY proxy:3128";
}

      With browser or OS proxy settings autodetection everything is working as expected.
      Clients can browse 80, 443 and 8000-8999 range.
      Traffic shows up in Squid reports on pfSense:

      telnet portquiz.net 80
Trying 5.196.70.86...
Connected to portquiz.net.
Escape character is '^]'.

telnet portquiz.net 443
Trying 5.196.70.86...
Connected to portquiz.net.
Escape character is '^]'.

telnet portquiz.net 8080
Trying 5.196.70.86...
Connected to portquiz.net.
Escape character is '^]'.

      Now I want a situation where no above mentioned traffic goes through unless proxy settings are specified.

      My attempts so far:

      1. I've set clients to "no proxy", disabled proxy autodetection and left proxy.pac / wpad.dat empty. Traffic to 443 is blocked but 80 and 8000-8999 still goes through:
      telnet portquiz.net 80
Trying 5.196.70.86...
Connected to portquiz.net.
Escape character is '^]'.

telnet portquiz.net 443
Trying 5.196.70.86...
telnet: Unable to connect to remote host: Connection refused

telnet portquiz.net 8080
Trying 5.196.70.86...
Connected to portquiz.net.
Escape character is '^]'.
      1. In addition to the above I added a rule to LAN rejecting all outgoing TCP IPv4 traffic from LAN net to all destinations on ports 80, 443 and 8000-8999. The only difference it has made is 8000-8999 range. Traffic on 80 still goes through!
      telnet portquiz.net 80
Trying 5.196.70.86...
Connected to portquiz.net.
Escape character is '^]'.

telnet portquiz.net 443
Trying 5.196.70.86...
telnet: Unable to connect to remote host: Connection refused

telnet portquiz.net 8080
Trying 5.196.70.86...
telnet: Unable to connect to remote host: Connection refused

      Is the rule being silently overwritten by Squid always allowing 80?
      Something like anti-lockout rule for firewall access?
      How do I block outgoing 80 traffic?

      I'd like to prevent clients from accessing any web ports unless they have proxy configured.
      I'll be using multiple proxies later and want to be able to switch between them.

      Please advise.

      Thanks,
      Adam

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.