Squid port 3128 and Firewall Rules

Reply to Squid port 3128 and Firewall Rules on Sun, 12 Jan 2025 17:00:27 GMT

JonathanLee — Sun, 12 Jan 2025 17:00:27 GMT

Could it be set flags SYN ACK ? and or state type keep or sloppy ?

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 20:07:49 GMT

JonathanLee — Sat, 21 Oct 2023 20:07:49 GMT

@mcury

Thanks all I see is WAN blocks now !! YES!!! THANK YOU

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 19:55:34 GMT

mcury — Sat, 21 Oct 2023 19:55:34 GMT

@JonathanLee said in Squid port 3128 and Firewall Rules:

@mcury Thanks!!!! that helps a lot I no longer see double requests for everything and it all still works!!! The XBOX uses transparent and UpNp and all the devices that know about the proxy don't need the transparent!!! YES!!!

Oh, good to hear that :)

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 19:54:49 GMT

JonathanLee — Sat, 21 Oct 2023 19:54:49 GMT

@mcury Thanks!!!! that helps a lot I no longer see double requests for everything and it all still works!!! The XBOX uses transparent and UpNp and all the devices that know about the proxy don't need the transparent!!! YES!!!

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 19:43:36 GMT

mcury — Sat, 21 Oct 2023 19:43:36 GMT

@JonathanLee said in Squid port 3128 and Firewall Rules:

How do you bypass for example one host like 192.168.1.17 from the SSL intercept but still make it use the the transparent proxy?

1- Disable transparent proxy
2- You would have to create the transparent NAT manually, using a ! in the source, with that IP address.
3- That NAT would have to redirect outbound TCP 443 connections to 127.0.0.1 3128.

Test like that, if doesn't work, try to change the port in the 3rd step to 3129.

I think that will do it.

Note that you would also need to create one for port 80.

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 19:38:08 GMT

JonathanLee — Sat, 21 Oct 2023 19:38:08 GMT

@mcury How do you bypass for example one host like 192.168.1.17 from the SSL intercept but still make it use the the transparent proxy?

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 19:29:49 GMT

mcury — Sat, 21 Oct 2023 19:29:49 GMT

@JonathanLee said in Squid port 3128 and Firewall Rules:

@mcury Yes I do have both, my XBOX uses the transparent side

Have you bypassed all other hosts that don't need transparent proxy in the Squid settings ?

Disable transparent proxy for one sec and test.

If it works, enable it again and try to bypass clients that are pointing to the proxy (explicit) in the transparent settings.

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 19:24:42 GMT

JonathanLee — Sat, 21 Oct 2023 19:24:42 GMT

@mcury Yes I do have both, my XBOX uses the transparent side

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 19:15:09 GMT

mcury — Sat, 21 Oct 2023 19:15:09 GMT

@JonathanLee

# default deny rules
#---------------------------------------------------------------------------
block in log inet all ridentifier 1000000103 label "Default deny rule IPv4"
block out log inet all ridentifier 1000000104 label "Default deny rule IPv4"

I suppose you have transparent proxy also enabled ? For systems that can't set a proxy by hand ?
If that is the case, disable transparent proxy for one second to see if it is not related to the rdr pass you have up there

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 19:06:50 GMT

JonathanLee — Sat, 21 Oct 2023 19:06:50 GMT

@mcury said in Squid port 3128 and Firewall Rules:

cat /tmp/rules.debug

Rule

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 19:05:03 GMT

JonathanLee — Sat, 21 Oct 2023 19:05:03 GMT

@mcury Yes I have floating rules for traffic shaping

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 19:01:19 GMT

mcury — Sat, 21 Oct 2023 19:01:19 GMT

@JonathanLee Its blocking out connections, from pfsense to the host, with a default deny ipv4 rule?

Check with cat /tmp/rules.debug in the shell, search for that rule.

Do you have any floating rules ?

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 18:57:33 GMT

JonathanLee — Sat, 21 Oct 2023 18:57:33 GMT

@mcury any other ideas?

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 18:55:54 GMT

JonathanLee — Sat, 21 Oct 2023 18:55:54 GMT

Dang still blocks

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 18:54:53 GMT

mcury — Sat, 21 Oct 2023 18:54:53 GMT

@JonathanLee said in Squid port 3128 and Firewall Rules:

Changed to conservative optimization

I think that will do it..

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 18:53:13 GMT

JonathanLee — Sat, 21 Oct 2023 18:53:13 GMT

@mcury Done set it back to how I had it.

Rules normalized

Changed to conservative optimization

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 18:51:02 GMT

mcury — Sat, 21 Oct 2023 18:51:02 GMT

@JonathanLee said in Squid port 3128 and Firewall Rules:

Maybe they are my URL blocks that still try to connect?

I can't see how could be that.

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 18:49:34 GMT

mcury — Sat, 21 Oct 2023 18:49:34 GMT

@JonathanLee Leave only one rule, clients to default gateway, TCP port 3128.
Leave this rule with default settings.

Try this:

There, where you see Firewall Optimization Options, change to conservative.

Note that this option will increase memory usage of the firewall.

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 18:49:31 GMT

JonathanLee — Sat, 21 Oct 2023 18:49:31 GMT

@mcury Maybe they are my URL blocks that still try to connect?

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 18:46:15 GMT

JonathanLee — Sat, 21 Oct 2023 18:46:15 GMT

@mcury I even have any flag set for all the rules tested

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 18:44:27 GMT

JonathanLee — Sat, 21 Oct 2023 18:44:27 GMT

@mcury I wonder why it keeps doing it, it does it for every single lan device in the logs all day. But everything is working on the user end.

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 18:41:33 GMT

mcury — Sat, 21 Oct 2023 18:41:33 GMT

@JonathanLee If that is not a TCP:S, it should be an out of state connection.
Could be asymmetric route but I don't think that is the case.

All you need is to allow clients to connect to their gateway IP address (pfsense), on port 3128.

Port 3128 will handle SSL connections too. I don't remember ever having to use port 3129.

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 18:42:42 GMT

JonathanLee — Sat, 21 Oct 2023 18:42:42 GMT

this was also tested

Reply to Squid port 3128 and Firewall Rules on Sat, 21 Oct 2023 18:40:19 GMT

JonathanLee — Sat, 21 Oct 2023 18:40:19 GMT

this was also tested