This is supposed to filter websites, control access, etc.
To do this, I have to set the IP address of the IPfire with the port number, for example 192.168.3.1 and 800 port, in the client under proxy settings.
So far so good and it works.
If a user on the client deletes the proxy again, the filtering, access times etc etc are bypassed again, or not?
On the client, the assignment of the IP address, gateway and DNS is assigned by the IpFire or should something be changed here?
Yes, client settings are indeed beyond the direct control of the IPFire system administrator. However, you can enforce the use of the proxy at the firewall level. This can be done by blocking any direct access to the internet (the red interface) on standard web ports from your LAN. This way, only traffic passing through IPFire (the proxy) will be able to access the web.
Regarding your second point, yes, the assignment of IP addresses, gateways, and DNS settings to clients is managed by the IPFire DHCP server. For more information on configuring the DHCP server in IPFire, you can refer to the IPFIre documentation.
Sorry, wait what? How should I understand that statement, I have no Proxy, so is not all my traffic passing through IPFire?
I know the cables most certainly are⌠the only traffic not passing through IPFire, that I can easily assume, is the traffic to Mobile Networks, like 4G and 5G.
yes, your traffic is passing through the RED interface of IPFire. If you set up a proxy and you want all your clients to use the proxy, the rule I suggested will block any access to the RED interface USING PORTS 443 and 80 (see message below). In this case, the only option that remains to access the RED interface from within the LAN would be through the proxy.
To clarify:
We are talking about web access ( HTTP / HTTPS ).
The FW rule inhibits direct conversation of a client with a web server in the WWW.
All other traffic is neither affect by the rule nor this thread.
Unfortunately, this has always been a big issue. The firewall rules mentioned by @cfusco block all traffic that doesnât go through the proxy. However, the IPFire proxy only works for the web browser (or for all programs that âmimicâ the web browser, http or https, regardless of whether the remote server uses the standard ports or not.).
Itâs obvious that Outlook doesnât work. And it never will until you create firewall rules that âopen a passageâ for Outlook and all the services you want to work. (Outside of http and https).
The ports you mentioned need to be opened in the firewall rules, not in the proxy. And the rules for opening these ports should come before the rules mentioned by @cfusco. If a firewall rule is valid, all the rules that follow are not executed. Thatâs the logic.
Of course, it is important to consider that an âexcessive use of firewall rules that openâ can compromise the functioning of the proxy. For instance, if you open port 80 in the firewall rules, the web filter might become ineffective. (In this case, if you remove the proxy from the client, you would be able to browse, only on port 80). Therefore, itâs advisable to only open what is necessary.
Itâs important to strike the right balance between openness and closure.
The possibilities are endless. Iâll mention some examples:
You can set a firewall rule to âexempt from the obligation of using the proxyâ one or more groups of IPs from the green, blue networks.
It is possible to âfreeâ only the pop3 service port.
The combination of 1 and 2.
And much more.
Think carefully about what you want to do. I believe I can help you âtranslate into firewall rulesâ your decision.
This rule (which must precede the rules mentioned by @cfusco) âfrees upâ a group of ports, previously configured under âservice / service groups.â
Remember to apply the changes every time you create/modify a firewall rule by clicking on the green button that will appear at the top after saving the new rule.
.