pfblocker not working with squid



  • Hello!!
    I am facing the issue with pfblocker as I enabled it on OPT interface and on the same interface squid is also running.
    Squid is working for web filtering for both http and https whereas pfblocker working for country blocking.
    And when i m trying to enable the country base blocking its not working for me as a result i m able to access the web sites of blocked country.
    I am saying this that pfblocker is not work with squid because when I m enabling pfblocker on LAN interface ( squid is not in play on LAN ) then I m able to block the country.
    Help me out in this , how I can make them to work simultaneously.
    If I have to make any rules , then please specify those rule and place where i have to put that.

    Thanks



  • They are 2 services that work on different part of the communication, they can work on the same interface without any issue.

    pfblockerNG dns side
    squid http/https

    Check again your settings.



  • I checked all the setting and still problem is coming.
    When ever i m disabling squid my country blocking is working and when i am enabling then country blocker dont work for me.

    please me out any one



  • I want to correct my self .. that the some features of PFblocker is working with squid like AD blocking and all but the problem is coming with only country blocking .



  • Once squid intercepts the packet, it changes the source of it to itself.
    Try changing the pfblocker rule to be a floating rule.



  • @mcury What rule should i put.
    and one more thing that i checked the floating rule option in pfbloker which maked the floating rule automatically in my float rule tab.
    after that also i have to change something then please tell me in detail



  • @mcury Screenshot from 2019-12-04 16-18-34.png

    these are rules which automatically created by pfblocker



  • Check if it's working now, if it's not, note that squid has it's own DNS settings, set it to use 127.0.0.1 (dns resolver).



  • @mcury means my squid should use 127.0.0.1 ip to resolve the dns



  • Are you using DNSblocker or only the country block settings?
    If you are not using dnsblocker, don't need to configure squid to use dns resolver.



  • If you are just blocking countries IP blocks, I believe that the floating rule is enough.
    You need to perform your tests there



  • @mcury said in pfblocker not working with squid:

    Are you using DNSblocker or only the country block settings?
    If you are not using dnsblocker, don't need to configure squid to use dns resolver.

    no I m not using DNSbloker . I enabled the feature GEOIP in pfblocker.
    But I m using DNSresorver for squid.



  • What about the tests after you enabled the floating rules in pfblocker?

    Based on what I could understand about squid, is that it intercepts the connection from the host, and make it's own connection to the website, thus, using itself as a source of that connection.

    Firewalls rules are not applied to localhost, so that's why I've told you to enable the floating rules in Pfblocker configuration.

    You can try to access a website within a country you have blocked to test, make sure you clear you browser history in case you have accessed that before (to avoid using cache).

    Also, you may try a ipconfig /flushdns in case you are using windows, to avoid using cached dns requests too.



  • @mcury said in pfblocker not working with squid:

    What about the tests after you enabled the floating rules in pfblocker?

    Based on what I could understand about squid, is that it intercepts the connection from the host, and make it's own connection to the website, thus, using itself as a source of that connection.

    Firewalls rules are not applied to localhost, so that's why I've told you to enable the floating rules in Pfblocker configuration.

    You can try to access a website within a country you have blocked to test, make sure you clear you browser history in case you have accessed that before (to avoid using cache).

    Also, you may try a ipconfig /flushdns in case you are using windows, to avoid using cached dns requests too.

    Nothing changed by the floating rule.

    1. can u clear me one things that , is squid and pfblocker both use the DNS resolver .
    2. as i can see in pfblocker there is option of DNSBL which i have to configure to use the 10.10.10.1 virtual ip for DNS resolve but at the same time there is note that to to enable DNSBL unbound dns resolver should be enabled.
    3. according to my knowledge squid is also using DNS resolver(as google/youtube/bing safe search is enabled by me).
    4. so if i conclude all the things then i think the problem is coming due to DNS resolver as both are using DNS reolver but pfblocker what to send dns reqst to 10.10.10.1 and squid what to send dns reqst to some where other ip.
      what u think ??


  • In order to use dnsbl, you must enable dns resolver.

    In order to squid to use dns resolver, this part I'm not sure ok? You will need to test the following:

    1 - Set 127.0.0.1 in squid dns configuration.
    2 - check if pfsense itself is using dns resolver, or it's forwarding directly to dns servers that are configured in System > General setup. You may need to untick the following options: DNS Server Override and Disable DNS Forwarder

    Try 1 first, then try 2, then try both at the same time, until it works.

    Kindly note that I'm not sure if those options will work, perform tests to confirm ok and report here if it worked.



  • @mcury ok i will let you know after test



  • @mcury one thing i want to share that i am using squid for domain blocking so i think it will use DNS resolver . Moreover the docs present on the internet for domain blocking through squid there they mentioned to enable DNS resolver for domain blocking.

    can you please tel me how i can configure 127.0.0.1 ip in squid for dns??



  • Check the setting : Use Alternative DNS Servers for the Proxy Server

    81754223-6079-4552-8e0a-0ee77cd0668a-image.png



  • Just occurred to me, you may need to set the pfblocker floating rule to block on WAN OUT direction.

    I'm saying this because you may be using a non transparent proxy, so, in this case, when the client requests a website, the source will be the client and the destination will be the proxy IP on port 3128. In this situation, the floating rule will not work if it's set with inbound direction in LAN.

    Are you using transparent proxy or not?
    Also connfirm that the clients are using DNS resolver as their DNS server.



  • @mcury you are right its happening due to transparent proxy.
    Yes I m using transparent proxy and when I disable the transparent proxy my country blocking works but at the same time domain blocking dont work for me.
    Now what next please tell me where and what rule should i put to make it work.

    and I thnk so that client using DNS resolver as DNS server coz I configured the google/youtube/bing safe search which are configured with the help of DNS resolver and on my client browser the google safesearch is working that's means client is using DNS resolver.


Log in to reply