Block proxy bypass



  • Dear all,
    I have configured two interfaces for WAN and LAN in my pfsense firewall. squid guard was also enabled. The organization only needs web access. In that case I have added few rules to the LAN interface.

    1)allow DNS from LAN net to any any.
    2) allow HTTP/HTTPS from LAN net to any any.
    3) allow squid port from any any.
    4) block any any

    The browsing looks slow.
    My main question is, How can I avoid proxy bypassing  (Ex: addons on browsers such as firefox)?



  • Hi,

    I think what you did is useless for what you want to do but perhaps I misunderstand something you wrote.

    So Are you using transparent or non-transparent proxy?
    And are you using http and https on your proxy or only http?

    In general if this is a non-tranparent proxy configuration with http and https you have to configure something like this:

    1.) From LAN to pfsense interface port 3128 (squid Port, will handle http and https traffic)
    2.) From LAN to pfsense interface DNS (don't allow it to the internert. pfsense/squid will do the DNS lookup. Your client's browsers will just ask the squid proxy and it will do the rest)
    3.) Block anything else from LAN to Internet but at least block http and https to ANY (except for your admin clients the need to have access to pfsense WebUI or you enable the "anti-Lockout" rule.

    In your browsers (Firefox, IE, Chrome) you have to enter the IP address of pfsense LAN interface and port 3128 for http, https and so on.

    This would be the way to avoid proxy bypass.

    Regards


Log in to reply