The pfSense Store

Author Topic: [Squid] How is this possible?  (Read 1221 times)

0 Members and 1 Guest are viewing this topic.

Offline jits

  • Full Member
  • ***
  • Posts: 233
  • Karma: +1/-0
    • View Profile
[Squid] How is this possible?
« on: June 25, 2009, 06:57:17 pm »
Hello.

Can someone please explain to me how I can still have access to the internet even after I have removed all LAN firewall rules. I am, ofcourse, assuming that when I do this, the default rule is to automatically block all, even if I have installed Squid.

So far, I have tried to reset firewall states. No joy. I still have access. I have rebooted PFSense machine, still no joy, I am posting this right now with absolutely no LAN firewall rules in place.

Thanks for your help.

Jits


Offline ktims

  • Sr. Member
  • ****
  • Posts: 300
  • Karma: +0/-0
    • View Profile
Re: How is this possible?
« Reply #1 on: June 25, 2009, 07:06:23 pm »
The rules only apply to incoming traffic on the respective interface. If you have the Squid transparent proxy installed then it adds some not user visible rules to allow and transparent proxy web traffic. Then, since the squid traffic originates from the firewall (ie. it's never incoming traffic), it's allowed out.

Offline jits

  • Full Member
  • ***
  • Posts: 233
  • Karma: +1/-0
    • View Profile
Re: How is this possible?
« Reply #2 on: June 25, 2009, 07:21:51 pm »
Ok, I understand, but shouldn't the firewall rules dictate what passes and what doesn't?

By installing Squid and using the transparent proxy, PFsense has just said, "who needs rules now. I will become servant (LAN) to Squid" when in my mind, all packages installed should be looking to the PfSense Firewall rules.

Wow. This is certainly no easy task. I take my hat off to the developers.

Is it then possible to have Squid refer to firewall rules before allowing traffic through, regardless of transparency or not?

thanks
Jits

Offline mhab12

  • Hero Member
  • *****
  • Posts: 648
  • Karma: +0/-0
    • View Profile
Re: [Squid] How is this possible?
« Reply #3 on: June 26, 2009, 09:01:28 am »
This has been discussed before:
http://forum.pfsense.org/index.php/topic,13018.0.html
http://forum.pfsense.org/index.php/topic,14607.0.html
http://forum.pfsense.org/index.php/topic,16585.0.html

The bottom line is you'll need to create a block rule for port 80 on the LAN, this way the only way out will be through squid.  Then, configure squid as you see fit.  In 1.2.x and earlier, the packages are evaluated BEFORE the firewall rule sets, this changes in 2.x  Perhaps you would be better suited using one of the newer builds?  Best of luck.

Offline jits

  • Full Member
  • ***
  • Posts: 233
  • Karma: +1/-0
    • View Profile
Re: [Squid] How is this possible?
« Reply #4 on: June 26, 2009, 09:22:20 am »
Going bald is never fun. Now where do I scratch?? There is a workaround for what I want to do, but it's more configuration and not sure if it would have been possible with another firewall, big plus for PFsense here.

thanks for the comments and the insights.

Appreciated...Jits.