[Squid] How is this possible?
-
Hello.
Can someone please explain to me how I can still have access to the internet even after I have removed all LAN firewall rules. I am, ofcourse, assuming that when I do this, the default rule is to automatically block all, even if I have installed Squid.
So far, I have tried to reset firewall states. No joy. I still have access. I have rebooted PFSense machine, still no joy, I am posting this right now with absolutely no LAN firewall rules in place.
Thanks for your help.
Jits
-
The rules only apply to incoming traffic on the respective interface. If you have the Squid transparent proxy installed then it adds some not user visible rules to allow and transparent proxy web traffic. Then, since the squid traffic originates from the firewall (ie. it's never incoming traffic), it's allowed out.
-
Ok, I understand, but shouldn't the firewall rules dictate what passes and what doesn't?
By installing Squid and using the transparent proxy, PFsense has just said, "who needs rules now. I will become servant (LAN) to Squid" when in my mind, all packages installed should be looking to the PfSense Firewall rules.
Wow. This is certainly no easy task. I take my hat off to the developers.
Is it then possible to have Squid refer to firewall rules before allowing traffic through, regardless of transparency or not?
thanks
Jits -
This has been discussed before:
http://forum.pfsense.org/index.php/topic,13018.0.html
http://forum.pfsense.org/index.php/topic,14607.0.html
http://forum.pfsense.org/index.php/topic,16585.0.htmlThe bottom line is you'll need to create a block rule for port 80 on the LAN, this way the only way out will be through squid. Then, configure squid as you see fit. In 1.2.x and earlier, the packages are evaluated BEFORE the firewall rule sets, this changes in 2.x Perhaps you would be better suited using one of the newer builds? Best of luck.
-
Going bald is never fun. Now where do I scratch?? There is a workaround for what I want to do, but it's more configuration and not sure if it would have been possible with another firewall, big plus for PFsense here.
thanks for the comments and the insights.
Appreciated…Jits.