HAVP + Squid = Firewall Rule Bypass.

  • Testing Config: (vmware team ) pfSense 1.2.3, 2 NICs: 1 WAN, 1 LAN

    I've installed Squid, Squidguard, and HAVP and configured according to
    directions found in doc (http://doc.pfsense.org/index.php/HAVP_Package_for_HTTP_Anti-Virus_Scanning)

    When configured with the Scheme: {inet}->[HAVP]->[Squid cache]->{clients} (HAVP as parent for Squid),
    The firewall rules (at least for web access) are bypassed completely.

    I tested this by disabling all rules, which should result in an implicit "Block All".  Also added and explicit "Block All" rule. With no effect.

    It appears that possibly when chained together in this configuration, pfSense as a proxy is now communicating for the client and thus is able to connect to the web, access the content and then deliver it without the client actually ever having to go "through" the firewall.

    When configured with the second scheme, according to docs ({inet}->[Squid cache]->[HAVP]->{clients}, Squid as parent) then everything appears to behave as expected. At least what I can tell.

    The only anomaly is if I remove/disable all rules or set explicit block, then restart the firewall. The rules appear to be enforced and blocking traffic. However, as soon as I enable/add a rule to allow access through, it opens the hole until the next restart,  even if I go back and disable/remove the rule.

    Any insight, assistance, assurance, would be great.

    (I'm trying to find a replacement for my IPCOP firewall.)

    Side Note: I like being able to have MAC address based rules as an option.  It seems that I can accomplish the same result with a little extra work. I also like that pfsense seems to be a bit more actively developed with a full fledged package system, including HAVP, a key item for my setup.

    Any input before I put this system into main production would be great.