SQUID PROXY Bind overrides Interface Firewall rules


  • Hello all

    _- Last pfsense version available x64

    • Package Squid3_

    Been testing pfsense rules and whatnot, with 2 wans and a staggering 27 vlans on one interface…and... Everything works perfectly!!!

    I disable some rule on some vlan interface and it works! I Enable some rule on some other interface and it works!  Perfect. Rules are the LAW.

    That was until I installed SQUID Proxy server.  As soon as I bind squid to an interface, rules are not the LAW.  Not even floating rules Quick DENYING all TCP/UDP traffic from said interface obey the LAW.  Some websites don't open,  but some do.

    Unbind SQUID from said interface, and Judge Dredd is back in town with the LAW beying obeyed.

    No documentation found on the subject.  Could I have some pointers on why is it behaves like this? (I know squid redirects all 80 traffic to it self, but surely not before the rules take place, correct?)

    cheers


  • Deleted Squid 3 package, installed 2.7.9 package.

    This issue does not happen on Squid 2.7.9

    So:

    • with SQUID 3.4.10_2,  all interfaces on which squid is binded =  interface rules are bypassed (tcp 80)

    • with SQUID 2.7.9, all interfaces on which squid is binded =  interface rules are properly enforced (tcp 80)

    cheers


  • Nope, after a while the same thing happens with either squid package.


  • Your description is pretty vague.  What rules are you specifically talking about, and what example shows how you get around them if squid is installed?  Squid makes requests on your behalf.  If you don't want a user having web access, use an ACL or block his IP in squid.


  • Thanks for the reply!

    with:

    The interface having no firewall rules permitting traffic to exit through port 80

    And the Squid proxy Transparent server disabled

    Browsing websites is not allowed. This is correct.

    But with Squid proxy Transparent mode enabled…

    Browsing is possible when it should not be possible because no rules allow traffic to port 80.


  • The NAT of 80 -> 3128 happens before the firewall rules are parsed.


  • That explains much :)  thank you.

    So when pfsense is using squid, all interface rules relative to port 80 are nullified?

    Am I wrong to assume that if this is the case, then a rule that has the gateway option redirecting the "80" traffic to the wan loadbalancer is also ignored and it will always use the default pfsense gateway instead?

    Before reading your above answer, I did tested this issue a bit further.  This situation only happens if I have the pfsense interface IP as the DNS on the client nic.  If I use any other DNS (8.8.8.8), the client cannot browse the internet until I create a rule allowing 80 traffic to pass.

    Squid completely changes pfsense behaviour.


  • @spyshagg:

    Before reading your above answer, I did tested this issue a bit further.  This situation only happens if I have the pfsense interface IP as the DNS on the client nic.  If I use any other DNS (8.8.8.8), the client cannot browse the internet until I create a rule allowing 80 traffic to pass.

    You are mixing some aspects, as far as I understand.
    Aside the fact that transparent proxy is not always a good idea because it can't control HTTPS flow and can't authenticate users, it has another side effect:

    • with explicit proxy, URL as typed in browser is sent to proxy which is performing DNS request in order to translate FQDN into IP address.
    • with transparent proxy, as browser is not aware that proxy will be used, name resolution is performed client side. Therefore, if you prevent DNS flow implement FW rule, then users will not able to browse internet…. unless they know the IP they want to reach  ;)

  • Same problem happened to me.

    Although I blocked ALL traffic to specific IPs at firewall rules, squid proxy (I am using transparent) let pass the port 80 traffic.

    So I entered the IPs (or alias) separated by semi-colons to "Bypass Proxy for These Destination IPs" and it worked.

    It is an old topic but if anyone have similar problem, this is a way to fix it.

    Cheers

    PS: Makesure your alias is typed exactly (if there is capital letters, type as it is). If you do not follow correct capitals when entering the alias, the proxy stops working.