Proxy allows everything..?



  • Hello everyone,

    I'm having a problem with our Proxy Server since it somehow lets everything go through it.
    For instance, I've been trying Filezilla FTP Connection to an external FTP Server without
    setting up a Proxy in the tool and see: Everything connects just fine.

    Why is that the case? We are allowing FTP in our Firewall rules, but that shouldn't be saying
    that our proxy should simply bypass allowed traffic directly to the firewall.

    Our Proxy runs on the following Settings:

    Interface: LAN
    Allow Users on Interface: Yes
    Transparent Proxy: Yes
    Bypass for Private Adress Space: Yes

    Allowed Subnets:
    192.168.0.0/24
    192.168.11.0/24 (LAN Subnet)
    192.168.3.0/24 (LAN Subnet)
    192.168.8.0/24 (LAN Subnet)
    10.0.0.0/24

    Tested it with the latest Filezilla version, as said, without any Proxy settings
    and my NIC is set to Gateway & DNS = PFsense.

    Thanks in advance for your help.

    Kind regards,
    Stefan


  • Banned

    Could the FTP rules be ahead of the Proxy ones??



  • They shouldnt be, because the Traffic basically (should atleast) goes to the proxy
    and then the proxy either blocks it or passes it to the firewall..


  • Banned

    I know…:)



  • I'm confused - you say that you're allowing FTP in your firewall rules, so why wouldn't you expect an FTP connection to work, bypassing the proxy?

    Remember too that in pfSense the firewall rules apply to traffic inbound on that interface.  Any traffic that uses the proxy server can only be limited by the proxy server itself, since the client is only communicating with the proxy.



  • Isn't the Squid package in pfSense configured to only proxy http traffic?



  • @mhab12:

    Isn't the Squid package in pfSense configured to only proxy http traffic?

    No, squid allow ftp proxy too…



  • Unless you have redirected port 21 to the squid service, FTP isn't being passed through squid.  It is instead using the FTP proxy that is written into pfsense.



  • It wouldn't matter if Squid only proxied HTTP traffic.  Because you allow outbound FTP any FTP client can connect to an FTP server on the Internet.  If you don't want that then you have to block the traffic (or better yet, block all traffic and only allow what you need).



  • Actually the firewall should block everything except the traffic that get's passed to it by the proxy
    So if people (For instance, again) want to use ICQ, Teamviewer or something like that, they'd have
    to use the Proxy. So do i have to reject everything except the things i want to work? (would be http
    for proxy, ping to other interfaces, etc)

    Regards,
    Stefan



  • There is, unless you've disabled it, a default rule on the LAN interface to allow all traffic.  The only sane way to configure a firewall is to block by default and then allow the ports and protocols you require (as I've already said).



  • Okay, I think I got it working by setting up the LAN Rules now.
    Thanks everyone who helped me :)

    Regards,
    Stefan



  • stephan sorry- dono if im allowed to do this but i have he opposite prob.

    i cant close the ftp port no matter what i do?????
    ive checked the ftp boxes, unchecked them etc etc etc

    any help greatly appreciated! pleaseoverlook my stupidity



  • Usually better to start a fresh thread, particularly if you know that your problem is different.

    Are you running Squid?  Is your FTP client using Squid?


Log in to reply