As I said…
Are these the configurations and ruleset you asked for?
(Btw. I found some more pages which cannot be reached through the HTTPS proxy: https://www.startpage.com/ and also https://www.ipfire.org)
Ok some port forward rules and VPN, but you allow and disallow some things. What are your settings for:
Firewall Options -> Forward + Outgoing?
If you chose “blocked” for both, you have to open all needed ports, but don’t need to define any blocked ports anymore. It’s the same for the firewall outgoing communication. But I think you know that… I still wonder why you define allowed and blocked port rules.
Also what ports are defined in the group “allowedports”?
Forward and Outgoing are indeed both set to blocked in the Firewall Options:
Please don’t assume that I know anything. I pretty much found this system here which was setup by somebody else. My only task with the firewall so far has been to get the webfilter to work…
The allowedports is defined as:
Does this make any sense to you?
Hm no. Why do you allow HTTPS in that group? Delete it. Also delete rule 7. That’s already done by your default forward communication setting.
And why do you block @ default all outgoing firewall communication just to allow all again? In my opinion it’s not a good idea to allow all outgoing communication since there are just a few ports needed for regular use.
Did you try that?
You are probably right. As I want to block all HTTPS not going through the proxy (which is what rule 7 is for, if activated), there is no need to allow HTTPS again in another rule.
Hm, but enabling rule 7 thus far seems to be the only thing that blocks non-proxied HTTPS for me. My goal is that no HTTPS can be used without the proxy’s url filter. Are you saying my default forward communication setting should already be blocking HTTPS?
So you are saying, I should make the firewall rules more restrictive? Which rules are you referring to in particular? Again: it was not me who set up this firewall and I am quite new to the subject matter…
In my other post I have been warned to
So which one would you recommend?
Thanks again!
Yes. If you choose “allowed” you will have to create blacklists and if “blocked” the oposit → whitelists .
Try yourself. Don’t configure the cliensts to use the proxy and you will see: http/https isn’t working anymore. Configure them to use the proxy and they will be able to communicate http/https over ipfire again (as long as the firewall is allowed to cummunicate http/https 
).
This is up to your needs. I don’t need more than that for the firewall:
He’s right, but that means that you have to use trusted DNS servers already. I don’t know if you do. Aussies are always trustable, so I use 1.1.1.1 for primary and google DNS as reliable server 8.8.8.8 for secondary DNS.
I have now set forward and outgoing in the firewall options to “allowed” and disabled all firewall rules.
But the problem that I cannot reach the mentioned urls via the HTTPS proxy still remains.
I also tried to assign the primary and secondary DNS (1.1.1.1 and 8.8.8.8 aus you suggested) and did a reboot of ipfire afterwards. But this still does not change anything.
What else could be the cause for this?
And you may browse the server IP instead of using the domain name?
I just tried 63.245.208.195 to reach mozilla.org.
I got the browser warning (regarding the certificate?) which I dismissed.
Then I got a timeout like when I tried to reach mozilla.org directly.
mozilla.org is also automatically inserted as the browser URL.
So this means that the DNS is working, right?
What else could it be?
Upstream proxy.
Check the firewall log for the ip.
I do not see 63.245.208.195 in my firewall log.
Accessing web pages (successful or not) does not seem to put an entry into the log.
I only have entries with “Proto” being 2 or UDP…
I think I can’t help you with that. I would switch RED to WWAN just to make sure it’s not related to my ISP. I can’t explain why ipfire should filter websites when it’s not supposed to and don’t come up in the logs.
All right, thanks anyway! I will try to get some local support who can hopefully resolve this.
Will tell you if we have found the cause for this…
Hello Linus,
I got three questions on this.
First of all, do you have set your ipfire as primary ntp server of your network? (and if yes, do you set the ntp server at your dhcp options tab?)
On your clients where you try to access mozilla.org
just to eliminate possible errors, do you have checked the local time and date settings on your clients?
On your clients, where you have set your proxy settings? do you have set it in the OS proxy settings or in the browser settings? - If not, you can try it again and set the proxyserver also at the browser settings tab.
possibly it is logged not as ip but as fqdn?
i got another idea:
just for testing purposes - do you got the same error message if you change the port of the proxy - and enable/disable the transparent proxy?
Thanks for your suggestions.
Setting up the proxy also in the browser (instead of not just in the OS) did not change anything.
Switching between “Transparent on Green” on and off in the IPFire proxy configuration did also not change anything.
The local time of my clients seems to be the correct time of my time zone.
What do you mean by changing the port? Just enter a port other than 800 for “proxy port” in the IPFire configuration? Which should I use?
I am afraid I don’t know how to do this… As I said, the network and firewall here was setup by an external contractor. I am trying to get hold of them since last week…
This is what my firewall log looks like:
Hi everybody,
it seems we solved the mystery!
When running nslookup on an ipfire shell, we realised that the used server was 127.0.0.1.
So we changed this in /etc/resolv.conf to:
nameserver 1.1.1.1
We then restarted IPFire via the browser interface and from there on it worked.
Could anybody explain to me what has happened here?
What is the difference between the DNS server set in /etc/resolv.conf and those (primary and secondary) set in the Network -> Assign DNS-Server?
127.0.0.1 is the local recursor when - for example - your dnssec fails.
So do you understand why it works for me when I put nameserver 1.1.1.1 into /etc/resolv.conf?
Is this even a “good solution”?