Welcome, Guest. Please login or register.
Did you miss your activation email?
+  pfSense Forum
|-+  pfSense English Support» Packages» [Squid] How is this possible?
Username:
Password:
 
Home Help Search Login Register
 

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: [Squid] How is this possible?  (Read 1013 times)
0 Members and 1 Guest are viewing this topic.
jits
Full Member
***
Offline Offline

Posts: 205


View Profile
« on: June 25, 2009, 06:57:17 pm »
Hello.

Can someone please explain to me how I can still have access to the internet even after I have removed all LAN firewall rules. I am, ofcourse, assuming that when I do this, the default rule is to automatically block all, even if I have installed Squid.

So far, I have tried to reset firewall states. No joy. I still have access. I have rebooted PFSense machine, still no joy, I am posting this right now with absolutely no LAN firewall rules in place.

Thanks for your help.

Jits
Logged
ktims
Sr. Member
****
Offline Offline

Posts: 300



View Profile
« Reply #1 on: June 25, 2009, 07:06:23 pm »
The rules only apply to incoming traffic on the respective interface. If you have the Squid transparent proxy installed then it adds some not user visible rules to allow and transparent proxy web traffic. Then, since the squid traffic originates from the firewall (ie. it's never incoming traffic), it's allowed out.
Logged
jits
Full Member
***
Offline Offline

Posts: 205


View Profile
« Reply #2 on: June 25, 2009, 07:21:51 pm »
Ok, I understand, but shouldn't the firewall rules dictate what passes and what doesn't?

By installing Squid and using the transparent proxy, PFsense has just said, "who needs rules now. I will become servant (LAN) to Squid" when in my mind, all packages installed should be looking to the PfSense Firewall rules.

Wow. This is certainly no easy task. I take my hat off to the developers.

Is it then possible to have Squid refer to firewall rules before allowing traffic through, regardless of transparency or not?

thanks
Jits
Logged
mhab12
Hero Member
*****
Offline Offline

Posts: 628


View Profile
« Reply #3 on: June 26, 2009, 09:01:28 am »
This has been discussed before:
http://forum.pfsense.org/index.php/topic,13018.0.html
http://forum.pfsense.org/index.php/topic,14607.0.html
http://forum.pfsense.org/index.php/topic,16585.0.html

The bottom line is you'll need to create a block rule for port 80 on the LAN, this way the only way out will be through squid.  Then, configure squid as you see fit.  In 1.2.x and earlier, the packages are evaluated BEFORE the firewall rule sets, this changes in 2.x  Perhaps you would be better suited using one of the newer builds?  Best of luck.
Logged
jits
Full Member
***
Offline Offline

Posts: 205


View Profile
« Reply #4 on: June 26, 2009, 09:22:20 am »
Going bald is never fun. Now where do I scratch?? There is a workaround for what I want to do, but it's more configuration and not sure if it would have been possible with another firewall, big plus for PFsense here.

thanks for the comments and the insights.

Appreciated...Jits.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

 

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Page created in 0.027 seconds with 19 queries.