Firewall rule for web-proxy

I’m stuck in making the web-proxy work.
What outgoing firewall rule do I need for web-proxy to get it work?


well, I use this rules in the outgoing traffic:

Source: firewall (red)
Destination: Standard networks (red)
Protocol: Service Groups (Web-Proxy)

and in the Service Groups:
Web-Proxy (http 80 TCP; https 443 TCP)

That’s all

somehow I’m stuck in that problem… I even allowed every traffic and can not use the proxy, so it depends not on the firewall.
In the Browser I set the IP of the blue (wifi) network (for my laptop) of the ipfire and the port 800. Socks is empty.

Hi @fstarter.

After long tests, it works for me as follows:

In “Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC)” I have put this range to be able to access the devices that are in the RED range (Router, Printer, APs, etc …).

Although the “Option code 252 = text” does not work in Firefox, I put it for Chrome and Edge.

In “Host” I have defined the IPs of the devices that are in “RED”.

The device group in “RED” for the Firewall rule.

The “Services” group to prevent bypassing the Proxy, for the Firewall rule.

The important ones are 4 and 5. One allows communication to devices that are on “RED” and the other prevents anyone from bypassing the Proxy.

And finally, the configuration in Windows to pass through the Proxy. I have tried it like this and it works. Everything goes through the Proxy.

Hope this can help you. You will tell us.



hmm… thanks, but the thing is, I have no red devices except the ipfire itself which connects to the provider router. Every other device is in the green or blue network. I also have no dhcp server running. And it will be enough if I can just set the proxy in the browser of each VM (I use QubesOS) that should use the proxy. So I think there is no need for me to set the PAC file.

As it seems, the problem is yet in the blocked outgoing connections. If I make a rule just as mentioned by ip-mfg and set browser to use blue gateway / proxy of the firewall, everything works in the VMs which are not using sys-whonix (QubesOS). VMs with sys-whonix as interposed netVM do not work with the browser settings. So it seems to be a special problem of the QubesOS settings.

What I don’t understand, why do I need this outgoing rule for the red ipfire to the red network?? So from red to red… it’s somehow crazy in my understanding, but it seems to work.

Hi @fstarter.

It is the configuration that works for me. Logically, it will be different from the one you have and that is why, behind to adapt it.

If you do not have devices in the NAT that Router-Wan IPFire (RED) does, do not put in the Proxy anything in “Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC)” nor rule number 4 of the Firewall.

The only valid rules for this are 4 and 5. And 4, only if you have devices in front of the IPFire and you want to access them. The others are ones that I have to secure the connections a bit.

Rule 5 denies all HTTP and HTTPS communication that goes through the IPFire since the communication that is established by proxy is through port 800. In this way, we prevent proxy bypassing.

For me, the rule that specifies @ip-mfg does not work for me since it cuts off all communication since the traffic that goes out of RED is through port 80 and 443. On the other hand, the HTTP and HTTPS traffic between the GREEN and BLUE interfaces, goes through port 800.

Tell Us something.


Well I am not a programmer of ifire.
What I understand from the rule processing in ipfire is that there are rules between the the ipfire system and the red NIC. There comes my rule in use.
I think this has something to do with the integration of the web proxy in the firewall software. In my understanding of the logic of traffics there should be an incoming rule for traffic from green to the fire wall (as you need it for NTP). But this is not the case.
Somewhere in the documentation is a flow chart which describes sequence of the various functions of the firewall. May be this could be of help for you. Unfortunately I don’t find it in the moment.

@ip-mfg hmm… but does it also mean, if I allow the red firewall to access the red network, it can access the whole internet?? Because I gave access just to the update and dot server till now.

@roberto I don’t really understand the point… suppose it has to do with my bad english knowledge AND the advanced settings. So how do you do the 4th rule? From green to what? I have already rules for the hosts in the green and blue network to the red network (just to access the internet). As I understand, the red network is the “whole internet” (there ist also my provider router). So why do I need these extra rules?

And by the way… can I also use PAC without DHCP?

these are my existing rules:

Good morning @fstarter.

There are two of us with the language. We are all here to learn. Each one contributes the knowledge they can. :+1:

Here is a link that explains how the Firewall works by default. It is very interesting (it saves duplicate rules regarding operation):

In short. The default IPFire denies all incoming traffic and allows all outgoing traffic. But if it goes through the Proxy, instead of using ports 80 and 443, it uses 800. This must be taken into account if we want to create rules.

The IPFire Firewall runs the rules in cascade. In other words, from top to bottom.

My network scheme is like this:

Rule 4 is so that I can access via port 80 and 443 the devices that are in the RED part from GREEN.


1 Like

The rules I stated allow only access to the internet via the proxy (the forward, outgoing and input traffic is blocked by the default rule). If I want to limit the traffic to the internet not only to https and http there has to be put another rule in front of my rule i.e. block every https traffic except the route to defined servers; ideally grouped under hosts