I think I'm in the right direction, but not sure.
Hey I need some help. My dad and I service PC's on regular basis, as a hobby most of the time. Our ISP is complaining that we're spamming, figure it's all the infected machines passing through. I need to build an isolated lan quarantine to add to my current pfsense box.
Basically I need to firewall incoming and outgoing all ports but somehow allow web access to download updates/utilities/drivers etc..etc..
Right now in rules this is what I have setup.
LAN WAN DMZ wifi Quarantine Proto Source Port Destination Port Gateway Schedule Description Allow UDP Quarantine net * 10.10.10.1 53 * Block * * * DMZ net * * Block * * * LAN net * *
DMZ is for VOIP and Videophone.
Lan is our home network.
Works great, I see in the firewall log that blocked a few infected machines trying to DDoS few websites and SPAMBOTS trying to use Port 25.
That's great and all, but how do I just allow web access? NOT WEB SERVER
I figure installing squid and setting it up as transparent proxy might work, but all I get on the machines is blank pages in firefox/chrome and IE connection error.
I never setup a web proxy server before. So I'm not sure what I'm doing wrong.
Squid is running in status>services
I also used this doc, but it doesn't offer very much.
My goal is to create a quarantine lan with web access only.
cant, if you open http(port 80) and they are programed to use any port then they will use it(port)80. pf goes by ports not protocol
Sorry, I must be tired, I'm not following you. Clear it up for me?
XIII is saying if you open port 80 then the SPAM bots might hijack that port as well.
You have two options as I see it:
a. Open port 80 and port 443 and chance a bot using port 80 or 443
b. Run a web proxy like squid on a random port like 555.
b seems like the best option you have to keep things safe and quarantined.
Now that I think of it since you have squid running… Don't run squid in transparent mode. Also why don't you clean the systems before putting them on a network? If I were doing the work I would clean each system before putting them on a network to get updates and such.
Because we're lazy to plug in and swap usb sticks. LOL! Frankly it simple to network and get everything we need from one computer then having to KVM between two machines.
Squid isn't really working, basically I must be missing something here. Nothing is being proxy, nothing is loading.
I must have it setup wrong.
Make sure your browsers' proxy settings are set to your squid settings.
I can't get proxy to work.
No one has really told me what I'm doing wrong with squid and why nothing is loading, even after I set the browser to 10.10.10.1:3128
Transparent enabled, disable, nothing is working. even tho squid is running.
Pages load as untitled or blank or not at all.
In "states" if I make a request for a website, I get
127.0.0.1:80 <- 18.104.22.168:80 <- 10.10.10.150:9661
But it shouldn't be doing this.
What am I doing wrong?
This should help: http://doc.pfsense.org/index.php/Setup_Squid_as_a_Transparent_Proxy
I wouldn't do transparent mode but it's up to you.
I just did that, does no one even read?
forget it. I'm not getting much help here.
I'll just do a firewall alias and block common ports, and take my chances.
So your plan is to be a jerk to someone who was trying to help you? Great plan.
I don't see that much of any help was really given.
Mad Professor: It is possible that since you are trying to block everything, you may even be blocking access to your proxy. For the transparent mode, try adding a rule that allows access to 127.0.0.1:80 (based on that states entry you posted). For non-transparent mode, you want a firewall rule allowing access to your proxy server port on the proxy's IP address.
Even in transparent mode, it will at least block outgoing connections on port 80 that are not HTTP traffic, though the alternate port idea might also be a good idea if it isn't too much of a burden and you remember to change the proxy settings back before you return the systems to their owners. If you don't want to have to remember to do that, it would probably be best to just use the transparent mode.
As a precaution, I'd suggest having a network specifically for connecting those infected systems - one that you maybe even only connect one system at a time to it when you are connecting potentially infected systems. If you need to be able to connect more than one potentially infected system (or mix infected with non-infected), you could use a managed switch to block communication between computers on the LAN, except to the port where your router is attached. This way you can prevent potential cross-contamination.
Thank you efonne, I've end up removing the sixth nic from my pfsense box, and when I did that, I broke pfsense completely. Couldn't do anything like get to shell locally or ssh into the box, something about 214 xml, even tho dhcpd was still working. Had to do a wipe and reload, I had configuration backup just before I started messing with it. I'll setup another pfsense box try your suggestion if it works, I'll implement it into my primary. If it doesn't work I'll get a managed switch.