Rules broken squid



  • It is wrong or it is normal that you can access webconfigurator with squid installed with a rule in the firewall that does not allow it.
    deny * * * LanAddress 443
    Allow * * * LanAddress 3127



  • Did you disable the anti lockout rule in the Advanced settings?

    Disable webConfigurator anti-lockout rule
    When this is unchecked, access to the webConfigurator on the LAN interface is always permitted, regardless of the user-defined firewall rule set. Check this box to disable this automatically added rule, so access to the webConfigurator is controlled by the user-defined firewall rules (ensure you have a firewall rule in place that allows you in, or you will lock yourself out!) Hint: the "Set interface(s) IP address" option in the console menu resets this setting as well.

    I've defined the Alias "ManagementHosts", that group of IP-numbers are the only ones allowed on the GUI Alias ManagementPorts. (That is in the first  PfSense Book btw.)



  • I've disabled webconfigurator anti-lock rule and the networks still have access to webconfigurator when I put in the url address any administration. That is, the proxy is still hopping rule. Attached screenshots

    ![Captura de pantalla 2014-08-23 a la(s) 09.25.46.png](/public/imported_attachments/1/Captura de pantalla 2014-08-23 a la(s) 09.25.46.png)
    ![Captura de pantalla 2014-08-23 a la(s) 09.25.46.png_thumb](/public/imported_attachments/1/Captura de pantalla 2014-08-23 a la(s) 09.25.46.png_thumb)
    ![Captura de pantalla 2014-08-23 a la(s) 09.26.18.png](/public/imported_attachments/1/Captura de pantalla 2014-08-23 a la(s) 09.26.18.png)
    ![Captura de pantalla 2014-08-23 a la(s) 09.26.18.png_thumb](/public/imported_attachments/1/Captura de pantalla 2014-08-23 a la(s) 09.26.18.png_thumb)



  • The rules start from the bottom and then up.

    Rules are evaluated on a first-match basis (i.e. the action of the first rule to match a packet will be executed). This means that if you use block rules, you'll have to pay attention to the rule order. Everything that isn't explicitly passed is blocked by default.
    

    First you allow the LAN out. (IPv4 to Any & IPv6 to Any)
    Then you block outside to everything that is LAN. (Any to LAN)
    Then you allow the rest within your LAN.




  • The problem is squid. Everything works without squid, but to redirect all traffic to squid, webconfigurator can enter, even with the rule that does not allow it.
    As you can see in the screenshots.
    Access to webconfigurator do from another LAN, so I want to deny access to the administration to other networks.



  • When I am on a computer outside the "ManagementHosts" (in my case 192.168.0.0/25) range, I can not access the web Gui or ssh from that computer.
    But I can access outside web pages, via the proxy. (either configuring the proxy or just using the transparent rules)



  • if this squid in transparent mode (for example), and configure the browser with the proxy port, you can access webconfigurator, and jumps firewall rules.

    Please check it



  • hi ajuser,

    First, I think rules are evaluated top to bottom, first match wins.

    Second, it depends on what ManagementHosts means in your setup.  Typically it means ips that are allowed to manage pfSense.  If that is the case, it looks like you are blocking access to machines that are managers, not webConfigurator.

    I think webConfigurator is typically listening on LAN address, so maybe you want to block destination = LAN address



  • You can check if your block rule is working by turning logging on for that rule, disable transparent squid, try the access, see what rule blocked it by checking the log.  If it was blocked by the default deny instead of your block rule, the problem is in your block rule.



  • The problem is you have to have rules in the firewall, the proxy skips. And I am compelled to refuse for squid and squidGuard



  • I think the rule could be at fault.  On my network I have this, and it seems to work fine:
    allow in on LAN from management to port_admin
    block in on LAN from !management to port_admin

    Seems to work for me… and the !management is anything but my main admin computer... so it'd block even squid I think... not sure because squid might be connecting to 127.0.0.1... again not sure.



  • I deny provisionally in squid, but I would like to know why it is jumping the firewall rule. I have a little crazy