pfSense Support Subscription

Author Topic: Squid Bypass Firewall rules!  (Read 10924 times)

0 Members and 1 Guest are viewing this topic.

Offline itsmorefun

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +0/-0
    • View Profile
Squid Bypass Firewall rules!
« on: March 01, 2009, 02:50:36 am »
Hello,
I have a problem with Squid package, the parameter "Do NOT proxy Private Address Space (RFC 1918)" doesn't work well.
If I check-it data will not pass through the proxy, data will directly be forwarded to the destination BUT will not be blocked by firewall rules!

Same probleme with "Do NOT proxy these IPs" parameter. (no rdr on $iface proto tcp from { $exempt_ip } to any port 80)

I have open the file /tmp/rules.debug:
The problem is here:

# Setup squid pass rules for proxy
pass in quick on vlan1 proto tcp from any to !(vlan1) port 80 flags S/SA keep state
pass in quick on vlan1 proto tcp from any to !(vlan1) port 3128 flags S/SA keep state
# Setup squid pass rules for proxy
pass in quick on vlan2 proto tcp from any to !(vlan2) port 80 flags S/SA keep state
pass in quick on vlan2 proto tcp from any to !(vlan2) port 3128 flags S/SA keep state
# Setup squid pass rules for proxy
pass in quick on vlan3 proto tcp from any to !(vlan3) port 80 flags S/SA keep state
pass in quick on vlan3 proto tcp from any to !(vlan3) port 3128 flags S/SA keep state

These rules are hard coded in /usr/local/pkg/squid.inc: :
 case 'filter':
                foreach ($ifaces as $iface){
                        $rules .= "# Setup squid pass rules for proxy\n";
                        $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n";
                        $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n";
                        $rules .= "\n";
                        };
                break;

Why hard code theses rules?

Thank
« Last Edit: March 01, 2009, 05:31:42 am by itsmorefun »

Offline itsmorefun

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +0/-0
    • View Profile
Re: Squid Bypass Firewall rules!
« Reply #1 on: March 01, 2009, 05:31:05 am »
I suggest to developpers four things in /usr/local/pkg/squid.inc:

->add before "$conf = <<<EOD":
$squid_conf = $config['installedpackages']['squid']['config'][0];
        if (!empty($squid_conf['defined_ip_proxy_off'])) {
                $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']);
                $exempt_ip = "";
                foreach ($defined_ip_proxy_off as $ip_proxy_off) {
                        if(!empty($ip_proxy_off)) {
                                $ip_proxy_off = trim($ip_proxy_off);
                                $exempt_ip .= "$ip_proxy_off/255.255.255.255 ";
                        }
                }
                $exempt_acl = "acl deniedhosts src $exempt_ip ";

        }
        else $exempt_acl = "";

->add after "# Setup some default acls":
acl localdest dst 192.168.0.0/255.255.0.0 172.16.0.0/255.240.0.0 10.0.0.0/255.0.0.0
$exempt_acl

->add before "Allow local network(s) on interface(s)":
        if($settingsconfig['private_subnet_proxy_off'] == 'on') {
                        $conf .= "# Block acces to locals destinations\n";
                        $conf .= "http_access deny localdest\n";
        }
        if (!empty($settingsconfig['defined_ip_proxy_off'])) {
                        $conf .= "# Block acces from denied ip\n";
                        $conf .= "http_access deny deniedhosts\n";
        }

->remove or re-design:
        case 'filter':
                foreach ($ifaces as $iface){
                        $rules .= "# Setup squid pass rules for proxy\n";
                        $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n";
                        $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n";
                        $rules .= "\n";
                        };
                break;

What does you think?
Thank for all.
« Last Edit: March 01, 2009, 07:06:14 am by itsmorefun »

Offline trendchiller

  • Sr. Member
  • ****
  • Posts: 370
  • Karma: +0/-0
    • View Profile
Re: Squid Bypass Firewall rules!
« Reply #2 on: March 01, 2009, 07:56:36 am »
Well, it's the intended behaviour...
perhaps it's labeled a little confusing...
the intended effect was to bypass the connections to these ips...
for example for ica-connection through vpn or else...

but i'll have a look at your suggestions...
thanks !
« Last Edit: March 01, 2009, 08:00:20 am by trendchiller »

Offline itsmorefun

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +0/-0
    • View Profile
Re: Squid Bypass Firewall rules!
« Reply #3 on: March 01, 2009, 08:35:08 am »
There are two things:
First, if we want to bypass the proxy, we perhaps not want that all http packet be allowed hardly.
Second, the proxy must refuse to relay these packet if user
setup proxy in his browser.

thank you for having read my suggests :)

Offline trendchiller

  • Sr. Member
  • ****
  • Posts: 370
  • Karma: +0/-0
    • View Profile
Re: Squid Bypass Firewall rules!
« Reply #4 on: March 01, 2009, 02:43:46 pm »
Hi !
We need a way to pass selected packets on destination port 80 thru the firewall and do not have them inspected by squid for some non-http-communication apps on port 80 (for example the xml-service from citrix).
I do not really see another way to do this... your suggestions do not provide a way to do this, because they do not pass the packets through the firewall..
Might it be that you mean the "Do not cache" option under "cache management" ?
This does not pass the packets thru the firewall but does not cache them...
Passing packets with non-standard-http-format will squid have them blocked (as with ica xml-service)
I will change the fields descriptions so that there will be no confusion about the function of these fields.
« Last Edit: March 01, 2009, 02:51:14 pm by trendchiller »

Offline itsmorefun

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +0/-0
    • View Profile
Re: Squid Bypass Firewall rules!
« Reply #5 on: March 01, 2009, 11:48:59 pm »
your suggestions do not provide a way to do this, because they do not pass the packets through the firewall..
????????????
Paquets will always pass through the firewal, but with my suggestion it you that make the pass or block rules and not the squid package.

The "Do NOT proxy Private Address Space (RFC 1918)" mean that Squid have to not inspecte tcp packet to local server but without my suggestion you force firewall to accept paquets but may i not wan't packets go to some aera...

Please full read the code i suggest.

Thank
« Last Edit: March 01, 2009, 11:53:56 pm by itsmorefun »

Offline trendchiller

  • Sr. Member
  • ****
  • Posts: 370
  • Karma: +0/-0
    • View Profile
Re: Squid Bypass Firewall rules!
« Reply #6 on: March 02, 2009, 03:17:02 am »
On 2.0 squid can be controlled with firewall rules now since user rules are evaluated before squid default pass quick all rules.
So there the problem is gone then :-)

In pfSense 1.2.x squid-rules are checked first before the other rules... so this is the problem that you cannot create any rules to pass traffic through the firewall before squid catches them ...
« Last Edit: March 02, 2009, 03:45:41 pm by trendchiller »