Order of processing firewall rules for port 80 (http) with squid (transparent)
I have a pfsense 2.0.1 running with 1WAN and 6VLANs.
As packages I amusing squid2 and squidguard.
To limit the outgoing traffic/ports I setup firewall rules to just allow some ports I added into an alias. This seems to work fine.
Have a look on the attached screenshot.
Now I wanted to add an additional "block any to any" rule on the bottom of all the other rules and enable logging. I want that because I want to log all the traffic from one VLAN which is not allowed by the rules above but I do not want to enable the "log all packets blocked by default rule" on syslog because this will logg traffic from other VLANs, too.
So but when I added this block any to any rule on the bottom I got many entries from "VLAN010 to 127.0.0.1:3128" which is my transparent proxy.
Why is this traffic blocked ? Browsing the web isn't possible anymore after that.
Could someone please explain me how the processing of firewall rules is happening when squid is installed in transparent mode?
And how to solve my problem ?
Thank you very much!
Noone who could give me some advice ?
It is probably something simple…
What I do not understand is why the block "any to any" rule on the bottom is blocking traffic to the internet for port 80 but the default and invisible "block any to any" rule which is there by pfsense default does not block that traffic.
Thanks in advance.
I added the port 3128 from squid to the allowed TCP port alias. Now the traffic is passing through this rule for http traffic and now I can add my "block any to any rule" on the bottom to log all other ports without blocking the internet.
So it seems that http port 80 traffic will not be recognized by the firewall as port 80 traffic but as port 3128 traffic which is the default squid port.
And as destination IP it is the loopback address of pfsense.
And you must be carfeul when ordering the firewall rules with transparent squid because it seems to be like this:
1.) visible individual rules created by user in GUI
2.) invisible squid allow rule with source LAN subnet and destination 127.0.0.1:3128
3.) invisible block any to any default pfsense rule
And the rule I created was placed between point 1 and point 2 and so I blocked the squid rule. So I allowed the port 3128 to be handled by the rule in point one and so the http traffic never reaches point 2 rule.
I think thats the way the firewall rules are working with transparent squid.
If someone has any other suggestions please tell me. Hopefully someone else finds this usefull.