Something interesting is happening. I have noticed I cannot access any ProtonMail services through IPFire (IPFire 2.27 (x86_64) - Core Update 169).
Not their email website, any other service websites, also their VPN doesn’t connect.
I have tried completely disabling the country blocks and IPS in IPFire, but no joy.
Proton services start to work however, as soon as I:
- Move to a phone hotspot, bypassing the IPFire box, or
- Enable a 3rd party proxy that I’m using, on top of the IPfire connection.
Is there something in the ipfire logs I can check to find the cause of this?
Any infos in the firewall log. Usually every dropped/rejected connection should logged.
Protonmail bridge requires both port 80 and 443 not filtered, and so does the web service. If you have blocked the traffic from your green network to the red interface in order to go only trough the proxy, Protonmail doesn’t like that. I never found a good alternative solution to opening a direct access to the web.
Green to Red is allow all, except bad countries (which I also temporarily switched off and it didn’t make a difference).
By proxy I meant a 3rd party proxy I am running on my client, which switches the original destination IP of the e.g. Proton Webmail server to the proxy destination IP and uses HTTP Connect. This happens before the traffic gets to the IPFire and seems to make a difference. Hence my initial thought that something in the IPFire engine drops traffic to the original Proton service IPs (and this doesn’t happen when requests to Proton are transported “behind” a request to Proxy IP).
Still I need to find what / why are the non-proxy requests to Proton not getting through. Will look more into that and post here when I find anything.
I use both proton VPN and protonmail bridge as well as the web based access, and by leaving open port 80 and 443 I have 0 problems. I do not have suricata and I only use spamhouse drop in the firewall options. I do not use externals web proxy, only squid in IPFire, but as I said, I leave port 443 and 80 open for my laptop when I am either in the green network or VPN connected to my home network.
Hmm, what do you mean exactly by “I leave port 443 and 80 open”? I have all ports open outbound (from green to red).
Surely you don’t mean to open those ports inbound (from red to green)?
I have a rule that blocks the outbound traffic on the web ports in blue, green and VPN networks so that only packets addressed to the firewall (the squid-based IPFire proxy) can pass through. However, with another rule I need to open a direct access for my laptop so that I can use proton services. If I leave everything open by default, everything works without any special intervention from my part.
You should look carefully at the logs to see why you are having this problem. The way I deal with this kind of problems is to open a console access to IPFire, open the system log with
tail -f /var/log/messages, connect to proton mail and see what happens to the logs, in real time. contrl-c to exit.