Proxy allows everything..?
-
Hello everyone,
I'm having a problem with our Proxy Server since it somehow lets everything go through it.
For instance, I've been trying Filezilla FTP Connection to an external FTP Server without
setting up a Proxy in the tool and see: Everything connects just fine.Why is that the case? We are allowing FTP in our Firewall rules, but that shouldn't be saying
that our proxy should simply bypass allowed traffic directly to the firewall.Our Proxy runs on the following Settings:
Interface: LAN
Allow Users on Interface: Yes
Transparent Proxy: Yes
Bypass for Private Adress Space: YesAllowed Subnets:
192.168.0.0/24
192.168.11.0/24 (LAN Subnet)
192.168.3.0/24 (LAN Subnet)
192.168.8.0/24 (LAN Subnet)
10.0.0.0/24Tested it with the latest Filezilla version, as said, without any Proxy settings
and my NIC is set to Gateway & DNS = PFsense.Thanks in advance for your help.
Kind regards,
Stefan -
Could the FTP rules be ahead of the Proxy ones??
-
They shouldnt be, because the Traffic basically (should atleast) goes to the proxy
and then the proxy either blocks it or passes it to the firewall.. -
I know…:)
-
I'm confused - you say that you're allowing FTP in your firewall rules, so why wouldn't you expect an FTP connection to work, bypassing the proxy?
Remember too that in pfSense the firewall rules apply to traffic inbound on that interface. Any traffic that uses the proxy server can only be limited by the proxy server itself, since the client is only communicating with the proxy.
-
Isn't the Squid package in pfSense configured to only proxy http traffic?
-
Isn't the Squid package in pfSense configured to only proxy http traffic?
No, squid allow ftp proxy too…
-
Unless you have redirected port 21 to the squid service, FTP isn't being passed through squid. It is instead using the FTP proxy that is written into pfsense.
-
It wouldn't matter if Squid only proxied HTTP traffic. Because you allow outbound FTP any FTP client can connect to an FTP server on the Internet. If you don't want that then you have to block the traffic (or better yet, block all traffic and only allow what you need).
-
Actually the firewall should block everything except the traffic that get's passed to it by the proxy
So if people (For instance, again) want to use ICQ, Teamviewer or something like that, they'd have
to use the Proxy. So do i have to reject everything except the things i want to work? (would be http
for proxy, ping to other interfaces, etc)Regards,
Stefan -
There is, unless you've disabled it, a default rule on the LAN interface to allow all traffic. The only sane way to configure a firewall is to block by default and then allow the ports and protocols you require (as I've already said).
-
Okay, I think I got it working by setting up the LAN Rules now.
Thanks everyone who helped me :)Regards,
Stefan -
stephan sorry- dono if im allowed to do this but i have he opposite prob.
i cant close the ftp port no matter what i do?????
ive checked the ftp boxes, unchecked them etc etc etcany help greatly appreciated! pleaseoverlook my stupidity
-
Usually better to start a fresh thread, particularly if you know that your problem is different.
Are you running Squid? Is your FTP client using Squid?
