Patch improving anti-lockout, also squid



  • The web-interface anti-lockout rule would benefit from an enhancement to prevent redirecting lan traffic away from the pfsense box port 80.    With this added, you can use the regular pfsense port forward to redirect port 80 to a lanside box running  transparent squid proxy without blocking access to the pfsense web interface.

    Recipe:  Create up a vlan on pfsense and the squid box, have the squid box send all its outgoing requests aimed at the vlan gateway on pfsense.  Then add a port forward rule on the lan interface sending all the port 80 traffic to the vlan squid box ip.  Don't forget to create a outbound nat on the vlan interface to translate all lan requests to the vlan interface– otherwise squid box replies rom browser requests on the squid box will get lost.  Anyhow, here's the filter.inc change to preserve access to the pfsense web interface when otherwise forwarding port 80 on the lan interface:

    --- /home/quiet/Desktop/filter.inc 2010-04-24 21:29:40.000000000 -0500
    +++ filter.inc 2010-04-24 12:37:43.000000000 -0500
    @@ -629,6 +629,9 @@

    $natrules .= "# FTP proxy\n";
    $natrules .= "rdr-anchor "pftpx/*"\n";

    • if (!isset($config['system']['webgui']['noantilockout'])) {
    • $natrules .= "no rdr on $lanif inet proto tcp from any to $lanip port = http\n";
    • }

    update_filter_reload_status("Creating 1:1 rules…");

    @@ -3342,4 +3345,4 @@

    }

    Cheers and thanks for such a great project.


Log in to reply