Block almost everything and use Squid?



  • Okay, so I'm trying to figure out how to lock down a public Wi-Fi I setup. It has Squid in transparent proxy mode, and that works great. Now I want to block all traffic from the public Wi-Fi (OPT1) to the Internet except port 443. Port 80 should be redirected to Squid, if I understand correctly.

    Do I simply need to create firewall rules on OPT1 with the first rule being 443 to any, allow; the second rule being any to LAN address, allow, and the third rule being a default deny all?

    Thanks!

    Mark



  • Well that didn't work….



  • The deny rule is redundant as this is the default firewall action.

    allow tcp from wlan net to wlan address squid port
    allow tcp from wlan net to any 80,443

    A wpad on dhcp could be a good option, this way you can use squid as d http,https and ftp proxy.

    att,
    Marcello Coutinho



  • This is for public Wi-Fi so I can't do anything that requires user configuration.

    I allowed TCP/UDP to any port 80, port 443, and port 53. I allowed TCP/UDP any to LAN address and OPT1 address. I think that should've accomplished what you said but nothing worked, including HTTPS sites.



  • @markuhde:

    This is for public Wi-Fi so I can't do anything that requires user configuration.

    wpad via dhcp does not require auth or user config.

    Did you checked outbound nat rules?

    can you screenshot the rules you created?



  • Sure I'll screenshot them tomorrow the rules are all still there (with a final allow all).

    And doesn't it require users have proxy auto-configuration enabled? This network is wide open and while proxying HTTPS to filter content would be NICE, it's ESSENTIAL any wi-fi compatible device can connect with zero hassle



  • @markuhde:

    And doesn't it require users have proxy auto-configuration enabled?

    IIRC, with dhcp it will work with browsers autodetect on or off

    leava both configured
    if user can use proxy, it will use squid, if not your 443 rule will do the job



  • @marcelloc:

    A wpad on dhcp could be a good option, this way you can use squid as d http,https and ftp proxy.

    I think your proposed scenario is best, however how do you serve the wpad file to the clients? Is it possible to do this from pfsense's own webserver?

    PS: I just checked and it seems pfsense's lighttpd does have the necessary a mime type for .pac

    PPS: Basically I'm asking if someone has actually tested this setup in production and what, if any, issues you encountered. Does it work OK if dhcpd option directs the clients to retrieve the proxy autoconfig .pac file from a webserver running at a non-standard port (e.g. 8000 in case of pfsense's CP http://192.168.0.1:8000/wpad.pac) or do some clients have problems with non-standard port ? etc …

    PPPS: On second thought, the scenario I described in my previous paragraph shouldn't occur, due to ipfw port forwarding ...



  • you can use it as a .js file (proxy.js)


Log in to reply