Netgate SG-1000 microFirewall

Author Topic: Use squid only on 443 and 80 ports  (Read 73 times)

0 Members and 1 Guest are viewing this topic.

Offline Zoris

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Use squid only on 443 and 80 ports
« on: February 06, 2018, 02:57:02 am »
Hello,

I have PFsense 2.4.2-RELEASE and Squid 0.4.43
My task was to filter allowed web sites for one interface, and block others.
Until now I was filtering http sites with squid and https sites with firewall rule on 443 port.
Now boss is thinking to allow all sites for this interface but want to monitor which sites are visited most an by who. I found a package lightsquid and it is generating quite a good report but it takes everything from squid, so I needed to change 443 configuration from firewall rule to directly to squid.
I configured WPAD and it worked, clients are going throw squid both http and https sites and I can see visited sites on lightsquid.
Now I have other problem where are some web services configured in our production site on other ports rather than 80 or 443 and clients are connecting to them. It is allowed with firewall rules and after clients getting proxy settings they can't connect to web services. If i disable proxy settings on clients they can reach web service again.

Example configs:
Proxy server: 192.168.0.251:3128
Webservice address: 192.168.0.251:5127 (NAT'ed to server)
Squid ACL Whitelist: .* (allow everything)
ACL Safeports - Default list: 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535 (5127 is included by default)

Then client tries to connect to http://192.168.0.251:5127 the squid logs shows:
TCP_MISS_ABORTED/000    http://192.168.0.251:5127/

Now I have two quiestions:
1. Why could squid block this webservice?
2. Is it possible to configure clients and squid that only 80 and 443 ports would go through squid and all other ports would be managed by firewall rules?