Do Squid Transparent Proxy require Firewall to be enabled?



  • Is it must to enable the packet filtering (firewall) to run Squid in Transparent proxy mode?

    I am asking because I don't need firewall. I only need Transparent squid proxy and SquidGuard.

    I am having problems in setup. I have newly installed pfSense 2.2.2  and squid 3.4.10.

    When I  'Disable all packet filtering'  from System->Advanced->Firewall/NAT, firewall stops but the squid transparent proxy stops listening to the client requests. But when i enables the packet filtering, the squid Proxy Server listens to the clients request but log says  TAG_NONE/500. And the client browser gives the following error on accessing some website:
    –------------------------------------------------------------------------------------------------
    ERROR
    The requested URL could nto be retrieved

    The following error was encountered while trying to retrieve the URL:http://---------

    ICAP protocol error.

    The system returned: [No Error]

    This means that some aspect of the ICAP communication failed.

    Some possible problems are:

    • The ICAP server is not reachable.

    • An illegal response was received from the ICAP server.

    –------------------------------------------------------------------------------------------------

    All the services are running fine. I think there is some problem with  my firewall setting.

    I have attached herewith firewall rules for reference.

    Please provide solution.

    thanks
    Sher Singh Rawat




  • Banned

    Is it must to enable the packet filtering (firewall) to run Squid in Transparent proxy mode?

    Yes of course. Cannot see how exactly you imagine the packets to get redirected to Squid without packet filter.



  • Please guide me why it gives ICMP error on clients when i enable packet filtering (firewall).



  • @Sher:

    I am asking because I don't need firewall. I only need Transparent squid proxy and SquidGuard.

    Are you explaining that you are running or aim to run pfSense as transparent proxy box only?  ???  :o
    If you goal is to run transparent HTTP proxy only (although I'm definitely not pushing for such implementation) I would suggest that you go for dedicated standalone deployment.

    What does pfSense bring?
    Graphical interface? you will get something even more flexible with webmin  ;) e.g.



  • @Sher:

    Please guide me why it gives ICMP error on clients when i enable packet filtering (firewall).

    ICMP error while requesting web sites? Very strange.



  • I newly installed pfSense 2.2.2 with the following:

    1. DHCP Server (working fine)
    2. Squid Transparent Proxy (Clients give ICMP Error as mentioned in earlier post and squid log displays TAG_NONE/500 for the client )
    3. SquidGuard (will work only after squid works correctly)

    thanks in advance

    Sher



  • This thread should be split into 2 different parts:

    1 - is it wise to deploy pfSense in order to support only Squid + Squidguard (or whatever filtering add-on)?
    To me the answer is clearly no. If you don't need pfSense core features in term of firewalling, then is doesn't really make sense to deploy it.

    2 - issues when deploying Squid:
    what your first log show is ICAP related errors. What needs to be clarified is that ICAP is not Squid. What I mean is that proxy is one aspect (handled by Squid) and content filtering is another one, linked to proxy stuff of course but not so tightly linked, meaning one could deploy proxy without any content filtering (e.g. in order to provide cache or profiling)

    Try to deploy proxy first (without any add-on and extra features). Once it works, move to content filtering, using ICAP, Squidguard, Dansguradian….

    BTW, you should think about explicit proxy too ;-)



  • I have found that when c-icap service is running, transparent squid does not listens to the requests of clients.
    There is some problem with c-icap or clamd service. When i stopped/disabled the c-icap service, transparent squid and squidGuard works perfectly.

    Do you have any solution or clamd please share because antivirus scanning is must at gateway.

    SSR



  • i dont know about you but I would rather let the experts Kaspersky, Bitdefender, Norton take care of the scanning. Also I would recommend installing pfBlockerNG to blacklist IP spammers.



  • @killmasta93:

    i dont know about you but I would rather let the experts Kaspersky, Bitdefender, Norton take care of the scanning.

    Deploying different antivirus engines at server and workstation level is a good idea.
    I'm running clamAV at serveur level (used for mail, HTTP proxy and NAS) while on devices I deployed different anti-virus.

    Risk of false positive is slightly higher but it can also catch more unwanted stuff.

    Also I would recommend installing pfBlockerNG to blacklist IP spammers.

    I'm currently looking at this  ;)  Nice package  ;D
    Adding fail2ban would be perfect  ;)



  • I'm currently looking at this  ;)  Nice package  ;D
    Adding fail2ban would be perfect  ;)

    the dev package is some nice stuff  ;)