Configuring correct firewall rules with proxy



  • Hello,

    I've configured a transparent proxy with man in the middle filtering (for ssl) and squidguard.
    Web filtering works fine.
    But now I wanted to configure it in order to block every outgoing traffic (in order to block users from using rdp, ssh etc…) but still allow web (which has to pass by the proxy)

    I would like to disable this default LAN rule:

    IPv4 * LAN net * * * * none   Default allow LAN to any rule

    and then only allow rdp for a specific alias (group of users)

    There I'm stuck right now because I don't know how to "design" the rule :/

    WAN: dhcp
    LAN: 10.0.3.0
    Pfsense 2.2.3-DEVELOPMENT

    Thank you for your help



  • Create an alias in Firewall - Aliases to hold your RDP users.  Create a firewall rule on LAN that allows that RDP alias as Source to talk to any destination on TCP port 3389.  I think MSRDP is even in the list of ports you can select.



  • Hi,

    thank you for your answer, but RDP is still not working.

    For now I have only the lockout rule (I deactivated default allow LAN to any) and:

    IPv4 TCP  AllowRDP    *    *    3389  *  none

    what would be the rule to configure in order let people surf the web through my proxy?

    oh…and what I just realized:

    with no pass rule active in my firewall I still can surf on a page already open in my Browser. Even open new sites on that specific page...



  • Transparent proxy doesn't require any magic and it generates the NAT rule it needs.  Since it lives on the firewall itself, it already intercepts web traffic and directs it to the proxy port 3128.  However, any HTTPS sites are going to trigger a browser warning unless you install a pfSense certificate in every client that will use the proxy.  I recommend that you avoid transparetn proxy and instead look into WPAD.



  • Hi KOM,

    i tried a non transparent proxy configuration.
    WPAD autodiscover isn't working; I have to give him manually the path to the pac file, but this isn't too bad for now.

    I'm sitll having some trouble with traffic filtering/blocking.

    If I remove the "allow Lan to any" rule, I have no internet.
    and then even adding the rdp rule, the rdp connection fails.

    if I add the "allow Lan to any" rule, Internet works just like before with my transparent proxy. Just that when I open a blocked https site (like facebook), I get an unable to connect error.
    Every other page like pron or so is perfectly blocked with a reason message.

    :(



  • I have to give him manually the path to the pac file

    Most systems are looking for wpad.dat.  Proxy.pac is used by Macs I believe, and some specific apps.  Best to have both since they can be identical.  Make sure all your clients are set to auto-discover the proxy.  Make sure you have your DNS and DHCP entries correct.  It should work for almost everything with the exception of Android.  I have seen some cases where Windows boxes must be set manually even when auto-detection is enabled (which is is by default on Windows).



  • Good evening,

    autodiscover now works fine, but I still have the firewall problems.

    I'm sitll having some trouble with traffic filtering/blocking.

    If I remove the "allow Lan to any" rule, I have no internet.
    and then even adding the rdp rule, the rdp connection fails.

    if I add the "allow Lan to any" rule, Internet works just like before with my transparent proxy. Just that when I open a blocked https site (like facebook), I get an unable to connect error.
    Every other page like pron or so is perfectly blocked with a reason message.



  • I've seen that before. I think that's a side-effect of using transparent proxy with squidguard and HTTPS.  Blocked sites don't go to the specified error page.  Works fine when you're not using transparent mode.

    Firewall rules are processed top-down, first-match.  By removing the Allow All from LAN rule, you're blocking everything including DNS.



  • Transparent mode is deactivated :-)



  • I have to leave for the day but post a screencap of your LAN rules so I or someone else can see what's going on.



  • Here are the FW rules (quite simple for now;) )

    If for now I deactivate LAN net rule, I have no internet; which is correct, but when activating the AllowRDP rule, rdp isn't working.

    and my next question would be: what rule should activate webbrowsing for my configuration?




  • Basically, create a ports alias called WebPorts, for example.  Populate it with 80 and 443.  Create a LAN rule just below your RDP rule that blocks WebPorts for all.  Add a rule that allows TCP port 53 (DNS) for all.  Delete that last allow all rule.  Save & done.



  • hi,
    ok, tried this, but I think something different is messed up I think. With all rules disabled, I am still able to surf the web…  ???



  • Post your LAN rules screencap again.


Log in to reply