Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Order of processing firewall rules for port 80 (http) with squid (transparent)

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 1 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nachtfalke
      last edited by

      Hello everybody,

      I have a pfsense 2.0.1 running with 1WAN and 6VLANs.
      As packages I amusing squid2 and squidguard.

      To limit the outgoing traffic/ports I setup firewall rules to just allow some ports I added into an alias. This seems to work fine.
      Have a look on the attached screenshot.

      Now I wanted to add an additional "block any to any" rule on the bottom of all the other rules and enable logging. I want that because I want to log all the traffic from one VLAN which is not allowed by the rules above but I do not want to enable the "log all packets blocked by default rule" on syslog because this will logg traffic from other VLANs, too.

      So but when I added this block any to any rule on the bottom I got many entries from "VLAN010 to 127.0.0.1:3128" which is my transparent proxy.
      Why is this traffic blocked ? Browsing the web isn't possible anymore after that.

      Could someone please explain me how the processing of firewall rules is happening when squid is installed in transparent mode?
      And how to solve my problem ?

      Thank you very much!
      Firewall.jpg
      Firewall.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        Noone who could give me some advice ?
        It is probably something simple…

        What I do not understand is why the block "any to any" rule on the bottom is blocking traffic to the internet for port 80 but the default and invisible "block any to any" rule which is there by pfsense default does not block that traffic.

        Thanks in advance.

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          Hi again,

          I added the port 3128 from squid to the allowed TCP port alias. Now the traffic is passing through this rule for http traffic and now I can add my "block any to any rule" on the bottom to log all other ports without blocking the internet.

          So it seems that http port 80 traffic will not be recognized by the firewall as port 80 traffic but as port 3128 traffic which is the default squid port.
          And as destination IP it is the loopback address of pfsense.

          And you must be carfeul when ordering the firewall rules with transparent squid because it seems to be like this:

          1.) visible individual rules created by user in GUI
          2.) invisible squid allow rule with source LAN subnet and destination 127.0.0.1:3128
          3.) invisible block any to any default pfsense rule

          And the rule I created was placed between point 1 and point 2 and so I blocked the squid rule. So I allowed the port 3128 to be handled by the rule in point one and so the http traffic never reaches point 2 rule.

          I think thats the way the firewall rules are working with transparent squid.
          If someone has any other suggestions please tell me. Hopefully someone else finds this usefull.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.