Blocking ports on the pfsense computer



  • I'd like to be able to schedule port blocking (to squid) so that at certain times of the day I am able to selectively block the internet.

    I am able to block direct access, but access through the proxy seems unblockable.  I am unable to block any local ip from accessing the ip of the pfsense computer (on the LAN side).

    Blocks seem to work for forwarding rules fine, but I don't seem to be able to figure out a way to block for traffic to the server itself (without creating my own complex scripts, which would defeat the purpose).

    What am I missing?

    Thanks



  • Perhaps it's not the same thing, but when you mention problems with blocking and Squid in the same post..
    http://forum.pfsense.org/index.php/topic,23306.0.html



  • OttO,

    A most interesting link … thanks ... it seems to be much along the same lines as I am attempting to do.  I still do not seem to be able to block any particular IP on the LAN side of the network from pinging or connecting in any other manner to the pfsense host.  The firewall rules do work for traffic that passes through however ... as is expected.

    I will have to tinker further, but if anyone can confirm that the firewall rules should work for access to the psfense host, please let me know.

    Thanks again
    David


  • Rebel Alliance Developer Netgate

    You can install squidGuard and I believe it has a way where you can setup a schedule with two different levels of access for different time periods.



  • @dlucas:

    A most interesting link … thanks ... it seems to be much along the same lines as I am attempting to do.  I still do not seem to be able to block any particular IP on the LAN side of the network from pinging or connecting in any other manner to the pfsense host.  The firewall rules do work for traffic that passes through however ... as is expected.

    All my blocking works perfectly after removing Squid.

    I have set MACs to specific IPs on interface (DHCP server) and then I have a number of IPs in aliases and then I have Schedules and use the aliases and schedules in FW rules for LAN and they do work as intended.

    I would test to completely uninstall Squid (when you re-install it I think all settings are entered again since they are in config) and see if it does work without Squid.

    I used transparent proxy, maybe it's different if one sets proxy manually in clients.


  • Rebel Alliance Developer Netgate

    Squid puts in a pass rule for the proxy when transparent proxy is enabled, and no rule you enter manually can override this.



  • @jimp:

    Squid puts in a pass rule for the proxy when transparent proxy is enabled, and no rule you enter manually can override this.

    Ok, that sounds like a pretty crucial note then, I'll put it in my pfS book somewhere.


Log in to reply