HAVP + Squid causes firewall ruled bypass.
-
Config: (vmware team test enviro) pfSense 1.2.3, 2 NICs: 1 WAN, 1 LAN
I've installed Squid, Squidguard, and HAVP and configured according to
directions found in doc (http://doc.pfsense.org/index.php/HAVP_Package_for_HTTP_Anti-Virus_Scanning)When configured with the Scheme: {inet}->[HAVP]->[Squid cache]->{clients} (HAVP as parent for Squid),
The firewall rules (at least for web access) are bypassed completely.I tested this by disabling all rules, which should result in an implicit "Block All". Also added and explicit "Block All" rule.
When configured with the second scheme (according to doc), Squid as parent, then everything appears to behave as expected.
-
Squid puts a redirect in for http (port 80) traffic that directs it to the proxy. This happens above all of the other firewall rules.
If you want to have squid installed in transparent mode and still selectively block local PCs from internet traffic, use squid's ACLs or put them in the list in squid's GUI to bypass the proxy.