Configure a Proxy

Hello dear people,

I have a question about the WebProxy.

This is supposed to filter websites, control access, etc.
To do this, I have to set the IP address of the IPfire with the port number, for example and 800 port, in the client under proxy settings.
So far so good and it works.
If a user on the client deletes the proxy again, the filtering, access times etc etc are bypassed again, or not?

On the client, the assignment of the IP address, gateway and DNS is assigned by the IpFire or should something be changed here?

Yes, client settings are indeed beyond the direct control of the IPFire system administrator. However, you can enforce the use of the proxy at the firewall level. This can be done by blocking any direct access to the internet (the red interface) on standard web ports from your LAN. This way, only traffic passing through IPFire (the proxy) will be able to access the web.

Here, ‘web’ refers to a firewall group set up to manage these restrictions.

Regarding your second point, yes, the assignment of IP addresses, gateways, and DNS settings to clients is managed by the IPFire DHCP server. For more information on configuring the DHCP server in IPFire, you can refer to the IPFIre documentation.


The mechanism for client configuring is called WPAD.

1 Like

Sorry, wait what? How should I understand that statement, I have no Proxy, so is not all my traffic passing through IPFire?
I know the cables most certainly are… the only traffic not passing through IPFire, that I can easily assume, is the traffic to Mobile Networks, like 4G and 5G.

yes, your traffic is passing through the RED interface of IPFire. If you set up a proxy and you want all your clients to use the proxy, the rule I suggested will block any access to the RED interface USING PORTS 443 and 80 (see message below). In this case, the only option that remains to access the RED interface from within the LAN would be through the proxy.

1 Like

To clarify:
We are talking about web access ( HTTP / HTTPS ).
The FW rule inhibits direct conversation of a client with a web server in the WWW.
All other traffic is neither affect by the rule nor this thread.


wow, you’re brilliantly fast again :slight_smile:

Now I understand it and it works as it should.
I wasn’t aware of the last little step, but it was actually logical.

TOP, thank you for that

Hello dear people,

the proxy runs as far as uspoer with URL filter etc etc.

Only Outlook doesn’t want to come out :frowning:

I have adjusted the permitted and TLS ports but somehow it doesn’t work. Should I create an extra firewall rule?

Here are the ports that I set in the proxy settings:
80# http
21 # ftp
443 # https
563 # snews
70# gopher
210 #wais
1025-65535 # unregistered ports
280 # http mgmt
488 # gss-http
591 # file maker
777 # multiling http
800 # Squids port (for icons)
993 # IMAPs
587 # SMTP
465 # ssmtp


443 # https
563 # snews
993 # IMAPs
587 # SMTP
465 # ssmtp

Thank you again in advance :slight_smile:

Unfortunately, this has always been a big issue. The firewall rules mentioned by @cfusco block all traffic that doesn’t go through the proxy. However, the IPFire proxy only works for the web browser (or for all programs that “mimic” the web browser, http or https, regardless of whether the remote server uses the standard ports or not.).

To better understand, if you ‘free up’ port 563 in the proxy, all that you authorize is this:

It’s obvious that Outlook doesn’t work. And it never will until you create firewall rules that “open a passage” for Outlook and all the services you want to work. (Outside of http and https).

The ports you mentioned need to be opened in the firewall rules, not in the proxy. And the rules for opening these ports should come before the rules mentioned by @cfusco. If a firewall rule is valid, all the rules that follow are not executed. That’s the logic.

I am willing to help :wink: :blush:.

Of course, it is important to consider that an ‘excessive use of firewall rules that open’ can compromise the functioning of the proxy. For instance, if you open port 80 in the firewall rules, the web filter might become ineffective. (In this case, if you remove the proxy from the client, you would be able to browse, only on port 80). Therefore, it’s advisable to only open what is necessary.

It’s important to strike the right balance between openness and closure.

The possibilities are endless. I’ll mention some examples:

  1. You can set a firewall rule to ‘exempt from the obligation of using the proxy’ one or more groups of IPs from the green, blue networks.
  2. It is possible to “free” only the pop3 service port.
  3. The combination of 1 and 2.
  4. And much more.

Think carefully about what you want to do. I believe I can help you ‘translate into firewall rules’ your decision. :wink:

I think this can be helpful for you:

Good job :blush:.

This rule (which must precede the rules mentioned by @cfusco) ‘frees up’ a group of ports, previously configured under ‘service / service groups.’

Remember to apply the changes every time you create/modify a firewall rule by clicking on the green button that will appear at the top after saving the new rule.

Thanks again for the quick tips,

I have added a firewall rule to the clients it concerns where only these ports are open.
Of course that’s how it works.

1 Like