This is supposed to filter websites, control access, etc.
To do this, I have to set the IP address of the IPfire with the port number, for example 192.168.3.1 and 800 port, in the client under proxy settings.
So far so good and it works.
If a user on the client deletes the proxy again, the filtering, access times etc etc are bypassed again, or not?
On the client, the assignment of the IP address, gateway and DNS is assigned by the IpFire or should something be changed here?
Yes, client settings are indeed beyond the direct control of the IPFire system administrator. However, you can enforce the use of the proxy at the firewall level. This can be done by blocking any direct access to the internet (the red interface) on standard web ports from your LAN. This way, only traffic passing through IPFire (the proxy) will be able to access the web.
Regarding your second point, yes, the assignment of IP addresses, gateways, and DNS settings to clients is managed by the IPFire DHCP server. For more information on configuring the DHCP server in IPFire, you can refer to the IPFIre documentation.
Sorry, wait what? How should I understand that statement, I have no Proxy, so is not all my traffic passing through IPFire?
I know the cables most certainly are… the only traffic not passing through IPFire, that I can easily assume, is the traffic to Mobile Networks, like 4G and 5G.
yes, your traffic is passing through the RED interface of IPFire. If you set up a proxy and you want all your clients to use the proxy, the rule I suggested will block any access to the RED interface USING PORTS 443 and 80 (see message below). In this case, the only option that remains to access the RED interface from within the LAN would be through the proxy.
To clarify:
We are talking about web access ( HTTP / HTTPS ).
The FW rule inhibits direct conversation of a client with a web server in the WWW.
All other traffic is neither affect by the rule nor this thread.
Unfortunately, this has always been a big issue. The firewall rules mentioned by @cfusco block all traffic that doesn’t go through the proxy. However, the IPFire proxy only works for the web browser (or for all programs that “mimic” the web browser, http or https, regardless of whether the remote server uses the standard ports or not.).
It’s obvious that Outlook doesn’t work. And it never will until you create firewall rules that “open a passage” for Outlook and all the services you want to work. (Outside of http and https).
The ports you mentioned need to be opened in the firewall rules, not in the proxy. And the rules for opening these ports should come before the rules mentioned by @cfusco. If a firewall rule is valid, all the rules that follow are not executed. That’s the logic.
Of course, it is important to consider that an ‘excessive use of firewall rules that open’ can compromise the functioning of the proxy. For instance, if you open port 80 in the firewall rules, the web filter might become ineffective. (In this case, if you remove the proxy from the client, you would be able to browse, only on port 80). Therefore, it’s advisable to only open what is necessary.
It’s important to strike the right balance between openness and closure.
The possibilities are endless. I’ll mention some examples:
You can set a firewall rule to ‘exempt from the obligation of using the proxy’ one or more groups of IPs from the green, blue networks.
It is possible to “free” only the pop3 service port.
The combination of 1 and 2.
And much more.
Think carefully about what you want to do. I believe I can help you ‘translate into firewall rules’ your decision.
This rule (which must precede the rules mentioned by @cfusco) ‘frees up’ a group of ports, previously configured under ‘service / service groups.’
Remember to apply the changes every time you create/modify a firewall rule by clicking on the green button that will appear at the top after saving the new rule.