Could you add a block rule ahead of this rule?
Green to red service group proxy 80,443 block.
Green to firewall port 80 to 3128
Green to firewall port 443 to 3128
Could this silently redirect https and http traffic?
@jon This is the summary of this post; you can’t have everything working by just setting the firewall, that’s only when you use transparent proxy. You need to instruct any and all clients, automatically or manually to use the proxy, and whether you do it automatically or manually, it depends both on the OS and the client.
My understanding is that there are two separate issues:
A) correctly setup the squid proxy;
B) block at the firewall level any attempt to get on red from anyone in your network on the web ports.
IF you have both A and B, AND you manually set the browser of your laptop or phone to use http://ipfire.localdomain:800 and https://ipfire.localdomain:800 as proxies for port 80 and 443, THEN you must be able to browse internet, ELSE you have a miss-configured squid.
Another way to say the same thing is: IF you have A and B, UNLESS the clients are instructed to use the proxy, your clients wont access the web.
As far as I know, there are three methods to do so:
manual configuration of the client;
automatic configuration of the client by looking at the OS system settings; this works IF the OS is being manually configured, OR it is using proxy.pac, directly or by following the DHCP setting as suggested in the wiki; <— this is my system (OS manually configured), see below
automatic configuration by the client, using proxy.pac directly.
In my situation, for mobile devices, setting manually the proxy at the OS level in the WIFI configuration, pretty much works out of the box for any APP working on those devices except few specialized apps that do not handle a proxy server well.
Similarly but more tiresome, on MacOS I also had to set:
in the network configuration to use the proxy, and
in the client (Firefox), to use the proxy system settings.
This combination works well. Auto-discovery by using proxy.pac never worked for me. Not even once, on Android, iOS and MacOS.
I should have added this in the first post. The client proxy is enabled and it seems to be working. And yes, this could be the problem. Since the client proxy seems to be working I figured I’d try the firewall rules side.
Referring also to my firewall rule mentioned above I block all traffic for forward traffic as a general rule (see firewall options). Open is only mail and ICMP. So no traffic via port 80 o 443 is routed.
All traffic from clients go through squid automatically by the firewall itself.
On the outgoing firewall rules the rule mentioned above is working.
All traffic from client to port 80 or 443 goes now through the proxy.
On the client side proxy is manually activated in the OS (Opensuse) and in the browser (firefox)
Th Wpad rules worked on my Laptop (Opensuse) and are activated for the blue network. With other OSs I have no experience.
I first created a group including every network (blue, green, OpenVPN), then this group goes to the source, NAT is unchecked, destination is RED, service group is WEB (group that includes both TCP web ports 80 and 443), reject. This is the last rule of the firewall and any exception goes above, for example the machine where I use services that do not deal well with a proxy.
The transparent proxy has been disabled since I started my experimenting. All of my experiments are on the BLUE network. ( I’ll do GREEN once I figure out what is not working. )
In the non-transparent mode
Depending on which firewall rule I am experimenting with - sometimes things work and sometimes not. I am having trouble figuring out if I am fighting against the Squid Proxy cache or fighting the browser cache or fighting a Firewall rule.
This is my current rule (current experiment!). I think it is similar to your description in Post #7. I wasn’t sure if your Firewall Rule (FR) RED is Standard RED of Firewall RED. So I just picked one.
Just wanted to add an update… I was getting frustrated with setting up the proxy so I figured I’d walk away for a few days and do something else.
I have the non-transparent (conventional) proxy running and things still don’t seem to be running correctly. I was hoping updating the CU 171 (test) might change something but still no joy.
I am guessing I have something configured incorrectly but I do not know what.
Right now browsing the Internet is painfully slow. To load a new web page takes about 30 seconds. If I enable transparent mode all of the slow disappears. I think it is my firewall rule but only because that is a big unknown for me.
I did the opposit. I do only allow a handfull of ports that are needed. Why should I keep every windows and door open? That’s just a security risk. So my default outgoing firewall settings is set to “blocked”.