Squid3 / Firewall / DMZ
-
Hey guys, i'm new to pfsense and want to evaluate it coming from ipfire.
Today i successfully installed it virtually on XEN with 3 NICs.(one for LAN, one for some kind of DMZ and one for wan). After some standard configuration, i added squid3 and squidquard packages. After that i removed the "default wildcard" LAN rule on the firewall, to prevent direct access to the WAN interface. Then i created one rule to grant the web access from Lan through squid. Squid is running as explicit proxy on port 3128. I tested the SSL-Scan with clam-av (own CA on pfsense). There is one Webserver in dmz which provides a management interface via https. I created a rule which grants access via https from one single Computer in LAN Network to the Webserver in dmz. Now the Problem: PC in LAN with no proxy configured -> access to Webserver with original certificate. PC in LAN with proxy configured –> access to the Webserver with self signed certificate. For me that means that the traffic goes through squid and clam scans the traffic between DMZ and LAN. I only want Direct access between those local networks, not over the proxy Server.. Help would be very appreciated.Thanks
-
Most OSes allow you to specify not to use the proxy for internal networks, with an area that allows you to list those local nets.
-
Yes sure. I could configure it on client side not to use the proxy for local networks but i want to define it on the firewall. Squid should not listen on packets which are adressed to those local networks and the user shouldn't have the choice on how to access them.
Thanks for your reply.
-
You could try adding a directive under Advanced features - Custom ACLS like this:
acl YourWWWServer dstdomain .YourDomain.tld always_direct allow YourWWWServer
This assumes that you have split DNS returning www.YourDomain.tld as a LAN IP address in your DMZ.