• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Block access to internet (80, 443) if a user not using proxy

Scheduled Pinned Locked Moved Firewalling
6 Posts 4 Posters 6.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    buddhikalb
    last edited by May 21, 2015, 9:14 AM

    basic setup, pfsense 2.15

    squid installed and listening on port 3128.

    WAN - DHCP, LAN - 172.10.10.1, DCHP on LAN - 172.10.10.100 - 172.10.10.200.

    Problem: All the users can browse internet if the network setting is set to use a proxy (172.10.10.1:3128) or no proxy.

    Need to achieve: If a user hasn't set proxy (172.10.10.1:3128), block internet.

    I know I need to do something with firewall to block traffic from LAN, and only allow proxy server traffic to go out, but I dont have any firewall knowledge. How do create rules to achieve this.

    1 Reply Last reply Reply Quote 0
    • H
      Harvy66
      last edited by May 21, 2015, 12:15 PM

      Just block all internet access to the LAN because the proxy is effectively a tunnel and won't be seen as LAN traffic. With a transparent proxy, this would be a bit harder, but not so much with a regular proxy.

      Rule of thumb, don't proxy HTTPS, it breaks things, especially security. There are a lot of exploits for doing HTTPS over proxies, even ones that can get malware to install on computers. Then again, everything is moving to HTTPS and it won't be long before HTTP start dying off. Good luck.

      1 Reply Last reply Reply Quote 0
      • B
        buddhikalb
        last edited by May 21, 2015, 12:30 PM

        I got the idea, how to do it. Think of me as a child who doesn't know a thing, walk me step by step

        1 Reply Last reply Reply Quote 0
        • R
          rjcrowder
          last edited by May 21, 2015, 1:29 PM

          @buddhikalb:

          I got the idea, how to do it. Think of me as a child who doesn't know a thing, walk me step by step

          Step out and play around - you will learn a lot more!

          Basically - create a rule to allow the pfSense box (running the proxy out). Then create rules to block LAN to WAN 80 and LAN to WAN 443.

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by May 21, 2015, 3:18 PM

            Blocking to wan 80 would not stop anything other than talking stuff on wan..

            The block rule should be block 80 to ANY..  Wan is not the internet.

            If you have other lan segments say opt1 for example and you want to allow lan to talk to opt1 network but not "internet" then need a rule above that allows access to opt1 net for what you want to allow, and then block any to 80 and 443 below that.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • R
              rjcrowder
              last edited by May 22, 2015, 1:07 PM

              Yes… actually I just have one LAN rule that blocks all outbound to port 80... (although it does have a "not" destination address in the LAN network). The rule is just above the default allow "LAN to any" rule.

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received