Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall / Squid and possible security related issue.

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jits
      last edited by

      Hi Guys,

      I think I've run into another problem with Squid and the Firewall this time.

      With Squid enabled as transparent proxy, I went into Firewall Rules and changed the default LAN Net policy to "block" and ensured all protocols etc were set to "any". I am now assuming that no one on my Lan will be able to access the internet.

      However, I was still able to access the internet, etc without any problems…matter-of-fact, I am doing so now with the block any rule turned on!

      Now, when I turn off the squid service, revert the default LAN any rule to accept and then back to block, it works. I can no longer surf the internet and I get the Network Timeout error.

      I am assuming the firewall rules take precedent here. Please let me know your thoughts.

      Thanks

      Jits

      1 Reply Last reply Reply Quote 0
      • J
        jits
        last edited by

        I didn't Reset the Firewall State table after making such a change. Again, I'm assuming based on what I'm reading that I should have to effect changes a bit quicker than normal. Correct?

        1 Reply Last reply Reply Quote 0
        • C
          chudy
          last edited by

          Its in your squid.inc that modifies the pf rules.

          You can edit your squid.inc in /usr/local/pkg/squid.inc and comment:
          $rules .= "#pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n";
          $rules .= "#pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n";

          to show your current pf rules

          pfctl -sr
          
          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.