Configuring correct firewall rules with proxy

darkcore · Jun 16, 2015, 10:02 PM

Hello,

I've configured a transparent proxy with man in the middle filtering (for ssl) and squidguard.
Web filtering works fine.
But now I wanted to configure it in order to block every outgoing traffic (in order to block users from using rdp, ssh etc…) but still allow web (which has to pass by the proxy)

I would like to disable this default LAN rule:

IPv4 * LAN net * * * * none Default allow LAN to any rule

and then only allow rdp for a specific alias (group of users)

There I'm stuck right now because I don't know how to "design" the rule :/

WAN: dhcp
LAN: 10.0.3.0
Pfsense 2.2.3-DEVELOPMENT

Thank you for your help

KOM · Jun 17, 2015, 12:21 AM

Create an alias in Firewall - Aliases to hold your RDP users. Create a firewall rule on LAN that allows that RDP alias as Source to talk to any destination on TCP port 3389. I think MSRDP is even in the list of ports you can select.

darkcore · Jun 17, 2015, 4:40 PM

Hi,

thank you for your answer, but RDP is still not working.

For now I have only the lockout rule (I deactivated default allow LAN to any) and:

IPv4 TCP AllowRDP * * 3389 * none

what would be the rule to configure in order let people surf the web through my proxy?

oh…and what I just realized:

with no pass rule active in my firewall I still can surf on a page already open in my Browser. Even open new sites on that specific page...

KOM · Jun 17, 2015, 4:58 PM

Transparent proxy doesn't require any magic and it generates the NAT rule it needs. Since it lives on the firewall itself, it already intercepts web traffic and directs it to the proxy port 3128. However, any HTTPS sites are going to trigger a browser warning unless you install a pfSense certificate in every client that will use the proxy. I recommend that you avoid transparetn proxy and instead look into WPAD.

darkcore · Jun 17, 2015, 11:50 PM

Hi KOM,

i tried a non transparent proxy configuration.
WPAD autodiscover isn't working; I have to give him manually the path to the pac file, but this isn't too bad for now.

I'm sitll having some trouble with traffic filtering/blocking.

If I remove the "allow Lan to any" rule, I have no internet.
and then even adding the rdp rule, the rdp connection fails.

if I add the "allow Lan to any" rule, Internet works just like before with my transparent proxy. Just that when I open a blocked https site (like facebook), I get an unable to connect error.
Every other page like pron or so is perfectly blocked with a reason message.

:(

KOM · Jun 18, 2015, 1:32 PM

I have to give him manually the path to the pac file

Most systems are looking for wpad.dat. Proxy.pac is used by Macs I believe, and some specific apps. Best to have both since they can be identical. Make sure all your clients are set to auto-discover the proxy. Make sure you have your DNS and DHCP entries correct. It should work for almost everything with the exception of Android. I have seen some cases where Windows boxes must be set manually even when auto-detection is enabled (which is is by default on Windows).

darkcore · Jun 18, 2015, 8:39 PM

Good evening,

autodiscover now works fine, but I still have the firewall problems.

I'm sitll having some trouble with traffic filtering/blocking.

If I remove the "allow Lan to any" rule, I have no internet.
and then even adding the rdp rule, the rdp connection fails.

if I add the "allow Lan to any" rule, Internet works just like before with my transparent proxy. Just that when I open a blocked https site (like facebook), I get an unable to connect error.
Every other page like pron or so is perfectly blocked with a reason message.

KOM · Jun 18, 2015, 8:54 PM

I've seen that before. I think that's a side-effect of using transparent proxy with squidguard and HTTPS. Blocked sites don't go to the specified error page. Works fine when you're not using transparent mode.

Firewall rules are processed top-down, first-match. By removing the Allow All from LAN rule, you're blocking everything including DNS.

darkcore · Jun 18, 2015, 8:53 PM

Transparent mode is deactivated :-)

KOM · Jun 18, 2015, 8:56 PM

I have to leave for the day but post a screencap of your LAN rules so I or someone else can see what's going on.

darkcore · Jun 18, 2015, 9:09 PM

Here are the FW rules (quite simple for now;) )

If for now I deactivate LAN net rule, I have no internet; which is correct, but when activating the AllowRDP rule, rdp isn't working.

and my next question would be: what rule should activate webbrowsing for my configuration?

KOM · Jun 19, 2015, 1:52 PM

Basically, create a ports alias called WebPorts, for example. Populate it with 80 and 443. Create a LAN rule just below your RDP rule that blocks WebPorts for all. Add a rule that allows TCP port 53 (DNS) for all. Delete that last allow all rule. Save & done.

darkcore · Jun 20, 2015, 8:43 AM

hi,
ok, tried this, but I think something different is messed up I think. With all rules disabled, I am still able to surf the web… ???

KOM · Jun 23, 2015, 7:17 PM

Post your LAN rules screencap again.