Enforce Routing to External Proxy



  • Greets all (Pardon if this isn't the right topic group….it isn't really routing....this is more rules related...right?)

    I have two network segments: 100.x and 101.x  On the 101 segment exists a proxy server (101.2) that accepts 443 and 80 on port 3128.  It works really well (Diladele) and seems to do it's job in very understandable ways, i.e. take out this element and this happens, put back that thing and the other thing happens.

    My goal is to have all of the port 80 and 443 traffic from the 100.x segment to be FORCED to use the proxy.  All of those hosts SHOULD proxy because of their local host settings, but I want to cut off the possibility for that segment to get out on 80/443 WITHOUT going through the proxy.  Sounds like a deny rule or two...but I think I need help on the stacking order.

    Something like this maybe on the 100.x Segment Rules Tab?

    • Allow - Source 100.x - Port * - Destination 101.2 - Port 3128 - Gateway *

    • Block - Source 100.x - Port 80,443 - Destination * - Port * - Gateway *

    • Allow - Source * - Port * - Destination * - Port * - Gateway *

    So my idea is to allow any ports to go to the proxy on 3128, block 80 and 443 in all other cases, and then allow anything that ISN'T 80 and 443.

    Or am I just talking nonsense? :)



  • The behavior of firewall rules isn't really difficult to understand.
    Anything which isn't allowed explicitly is forbidden. The rules are just applied from the top to bottom. If a rule matches further ones are ignored.

    @Tanstaafl:

    • Allow - Source 100.x - Port * - Destination 101.2 - Port 3128 - Gateway *

    • Block - Source 100.x - Port 80,443 - Destination * - Port * - Gateway *

    • Allow - Source * - Port * - Destination * - Port * - Gateway *

    So my idea is to allow any ports to go to the proxy on 3128, block 80 and 443 in all other cases, and then allow anything that ISN'T 80 and 443.

    Or am I just talking nonsense? :)

    Often there are several ways to reach the goal. The one you listed will do it.

    If you use aliases and negations you can also express it with just two rules. Put port 80 and 443 in an alias, let's say BlockPorts, then it may look like this:

    • Allow - Proto=TCP - Source=.100.0/24 - Port=* - Dest.=.101.2 - Port=3128

    • Allow - Proto=* - Source=.100.0/24 - Port=* - Dest.=* - Port=!BlockPorts

    The second rule means that you allow anything from Source=.100.0/24 and any source port to any destination and any dest. port, but BlockPorts (80, 443).


Log in to reply