Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules are not evaluated when squid is enabled?

    Scheduled Pinned Locked Moved Cache/Proxy
    4 Posts 3 Posters 513 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oferkes
      last edited by

      hi,

      i've read everything i could find about this, however i still dont understand why things are working as they are.
      i'm running pfsense 2.6.0-RELEASE, with squid installed and enabled on LAN interface.
      i created a simple LAN firewall rule to reject any traffic to port 80, and set firefox to use squid proxy in the browser settings.
      i'm able to get to http websites with the rule enabled (neverssl.com for example).
      when i configure firefox to 'no proxy', http traffic is rejected as i want it to be.
      i read that it might be related to squid adding firewall rule for transparent http proxy option that is not visible in the gui, so i checked with pfctl -sr command, and i dont see any added/removed lines with this option enabled or not.
      is this how it should work or am i missing something in my configuration?

      thanks,
      Ofer

      KOMK johnpozJ 2 Replies Last reply Reply Quote 0
      • KOMK
        KOM @oferkes
        last edited by

        @oferkes It's how it should work. You block tcp/80, people can't do direct and must go through the proxy. The proxy listens on tcp/3128 and it not affected by your LAN block.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @oferkes
          last edited by

          @oferkes said in Firewall rules are not evaluated when squid is enabled?:

          set firefox to use squid proxy in the browser settings.

          If you specific set firefox to use proxy, then yeah as @KOM stated its WAD..

          There are 2 different modes - one where proxy intercepts traffic, and one where proxy is explicit set in the browser.

          Be it you set proxy in browser to say the squid port 3128 or it auto discovered that is different than a "transparent" proxy where browser doesn't know there is a proxy and the proxy says oh that is traffic I should proxy and it is intercepted.

          Transparent can be problematic.. But either way if your goal is to use a proxy, but not allow access to some website, then you should block that access in proxy, and also block via direct access.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • O
            oferkes
            last edited by

            it is clear now, thank you both for the replies

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.