PfSense HTTP/HTTPS firewall rules and Squid ...

  • Hi,
    I am facing an issue regarding firewall of PfSense (http/s trafic).
    My FW gets 2 rules HTTP(80) and HTTPS(443) in order to prevent the LAN users accessing internet web sites.

    • when Squid Proxy service is disabled : both rules work (users cannot acces http/s )
    • when Squid Proxy service enabled (Transparent mode + SSL interception + SpiceAll) :
      users can access internet !
    • if I disable Squid, rules are taken into account again

    It seems like Squid Proxy service is "overriding" both firewall rules.
    Has anybody ever experienced this kind of issue ? would it be a configuration issue instead ?

    Thanks for your help

  • the issue youre experiencing is because of transparent mode on squid. the traffic is redirected to the pfsense squid service, intercepted, and then the traffic source is changed to be the firewall itself. your rule isnt blocking the firewall.

    if youre trying to intercept and force traffic through the proxy BEFORE going to the internet, this is working as intended then.

  • Hi "isolatedvirus" and thx a lot !
    It makes sense. I configured [transparent mode] in order to avoid the configuration at every client side (Win or Linux) => no need to import PfSense selfsigned certificate and the SSL flow is not "broken" at the proxy level.
    If I understood, the solution would be to force the outbound web trafic going through Squid-proxy first and redirect it to the firewall after... both firewall and proxy applications should be "called" but I don't think that's possible...
    Regarding HTTP/S trafic flow, either I keep Squid in service (FW = useless) or I forgive Squid (and its proxy-cache for perf).
    On the other hand, a proxy is really usefull in a company IT network but at home...

Log in to reply