Cannot reach mozilla.org through proxy

Hello,

to enable the URL-Filter for HTTPS, I have now setup my client to use 10.16.1.254:800 as the Proxy for both HTTP and HTTPS.

It works fine, but I realized that I cannot access mozilla.org any more.

When I try http://mozilla.org I get an IPFire DNS-Server error page:
“Server Failure: The name server was unable to process this query.”

When I try https://mozilla.org I just get a timeout.

This is regardless of whether I have the URL-filter activated or not.
It must have something to do with using the HTTPS proxy,
because when I disable my HTTPS-blocking firewall rule, I can reach https://mozilla.org not using the proxy. http://mozilla.org then redirects directly to https://mozilla.org.

How can I get to the bottom of this?

Did you go through your logfiles?

Thanks for the reply! No, not yet. Which files would that be in particular?

Try if the IPFire itself can resolve mozilla.org. If not try to use an other server. Daniel has reported problems with .org domains on the DNS Servers of the german ISP “Telekom”.

1 Like

Sorry for my ignorance, but how do I do this?

Wouldn’t explain why he’s able to resolve the IP with disabled proxy.

Protocols -> URL Filter Protocols

As I said, the problem persists even when I disable the url filter in the proxy settings.
Should I still check the filter protocols?

Oops my bad. Thought it works with disabled URL filter. It’s always an good idea to check the logs. That’s what they are made for.

Try another DNS server, resolve the IP online and browse it or even unplug the fw and try directly with your router to make sure the fw is not the problem.

It works already when I disable my HTTPS-dropping firewall rule and tell the client to not use a proxy for HTTPS.

I will try this tomorrow! So far, I had the proxy set to not allowing URLs as IP-adresses.

Needn’t do that anymore. Since it works without blocking HTTPS rules it’s something else.

Pls post your firewall configuration for forward and outgoing communication and your entire ruleset.

And still check the fw logs :stuck_out_tongue_winking_eye:

This would explain this because with configured proxy the browser doesn’t resolve the url. It connect the proxy and send a connect “mozilla.org” and the proxy resolve the url.

As I said…

Are these the configurations and ruleset you asked for?

(Btw. I found some more pages which cannot be reached through the HTTPS proxy: https://www.startpage.com/ and also https://www.ipfire.org)

Ok some port forward rules and VPN, but you allow and disallow some things. What are your settings for:
Firewall Options -> Forward + Outgoing?

If you chose “blocked” for both, you have to open all needed ports, but don’t need to define any blocked ports anymore. It’s the same for the firewall outgoing communication. But I think you know that… I still wonder why you define allowed and blocked port rules.

Also what ports are defined in the group “allowedports”?

Forward and Outgoing are indeed both set to blocked in the Firewall Options:

Please don’t assume that I know anything. I pretty much found this system here which was setup by somebody else. My only task with the firewall so far has been to get the webfilter to work…

The allowedports is defined as:

Does this make any sense to you?

Hm no. Why do you allow HTTPS in that group? Delete it. Also delete rule 7. That’s already done by your default forward communication setting.

And why do you block @ default all outgoing firewall communication just to allow all again? In my opinion it’s not a good idea to allow all outgoing communication since there are just a few ports needed for regular use.

Did you try that?

You are probably right. As I want to block all HTTPS not going through the proxy (which is what rule 7 is for, if activated), there is no need to allow HTTPS again in another rule.

Hm, but enabling rule 7 thus far seems to be the only thing that blocks non-proxied HTTPS for me. My goal is that no HTTPS can be used without the proxy’s url filter. Are you saying my default forward communication setting should already be blocking HTTPS?

So you are saying, I should make the firewall rules more restrictive? Which rules are you referring to in particular? Again: it was not me who set up this firewall and I am quite new to the subject matter…

In my other post I have been warned to

So which one would you recommend?

Thanks again!

Yes. If you choose “allowed” you will have to create blacklists and if “blocked” the oposit -> whitelists .

Try yourself. Don’t configure the cliensts to use the proxy and you will see: http/https isn’t working anymore. Configure them to use the proxy and they will be able to communicate http/https over ipfire again (as long as the firewall is allowed to cummunicate http/https :stuck_out_tongue:).

This is up to your needs. I don’t need more than that for the firewall:

He’s right, but that means that you have to use trusted DNS servers already. I don’t know if you do. Aussies are always trustable, so I use 1.1.1.1 for primary and google DNS as reliable server 8.8.8.8 for secondary DNS.

I have now set forward and outgoing in the firewall options to “allowed” and disabled all firewall rules.
But the problem that I cannot reach the mentioned urls via the HTTPS proxy still remains.

I also tried to assign the primary and secondary DNS (1.1.1.1 and 8.8.8.8 aus you suggested) and did a reboot of ipfire afterwards. But this still does not change anything.

What else could be the cause for this?

And you may browse the server IP instead of using the domain name?