Hi everyone,
I configured an ipfire server with red, green and blue networks. Proxy transparent is up for green and blue with url filter and it’s work.
But many users doesn’t use the proxy with theirs browser like firefox or chrome and the url filter isn’t apply. Theres users must be block !
Should I configure the proxy in non-transparent mode or/and block all outgoing internet connections with the firewall?
Will this solution force users to select the proxy?
Thanks a lot community
Jo
You can apply the recipe www.ipfire.org - Redirecting Services to HTTP(S) ( ports 80 and 443 ).
Hi Bernhard,
Thanks and if I understand, I can create 4 news rules in my FIREWALL setup for block all traffic from green and blue to http (80) and https (443) ?
With this solution, I must setting all clients browser with proxy parameters ? Is it OK ?
Thx you
You can make 2 rules if you create a service group
Hi Shaun,
I will try this service groups option and I will tell you the result.
Thanks you for your reply and have a nice day
Hi,
I blocked all traffic on ports 80 and 443 on green and blue. I configured all computer to use proxy and it’s work ! url filter is up and fonctionnal.
But…email clients like thunderbird (with proxy configuration like firefox) doesn’t work…smtp port 465 (tcp) is closed and users can’t send email for exemple.
I tried many rules on firewall after add ports 465 - 587 in proxy configuration but it’s KO 
Someone could say precisely whats rules I must add in my firewall configuration please to open this ports ? It will be my last subject !
Thanks a lot,
Jo
What rules did you add for your blocks?
Hi Nick,
I configured with all outgoing network blocks and force users to check proxy with url filters on theirs computers. It"s works but I don’t know precisely whats I must do to open smtp / imap ports
I create some rules and add 465 - 587 - 993 ports enable in the proxy but it doesn’t work…I tried to send email and it’s failed.
Whats is the best pratice ? web sites acces are OK but emails doesn’t…
Thanks you
Why block all out and not just tcp:80,443?
Also have you considered setting up Web Proxy Auto Discovery - www.ipfire.org - Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC). This will automatically configure devices that have left their browsers on automatic. It is much more user-friendly than just blocking users not using the proxy.
Today web site access is OK. I don’t want reconfigured internet access and proxy anymore. I just want the email access
I tried to block all out just 80 and 443 but it was failed with many proxy issues.
I tried different configurations for the email but it failed. In addition I am not on site to test the sending of email. Today, I can simply connect with openvpn on the interface of the ipfire and in ssh in order to see with a netstat if the ports are open or not.
I simply ask for a little help on precisely what I can do with the firewall rules in order to open the connection with ports 993, 465 and 587.
Thank you very much
OK but you are making your life difficult for yourself and your users.
Create a port group (Firewall > Firewall Groups > Service Groups) with the ports you want to allow then add a rule above your block rule to allow the Service Group. Or add the rules individually.
BTW, 993 (IMAPS) is just for picking up mail and not for sending, so I assume you are using an external email provider?
I will try your solution tomorrow. Yes external email provider. Thank you, I will tell you the results.
Hi Nick :
Here, the service groups EMAIL
And here (I’m not sure) the firewall rule with the service group :
Final result :
Is it ok like this ?
Thx a lot
You have set up another blocking rule. In your second screenshot, change the rule to “Accepter” from “Ignorer”.
Also the source should be Standard networks > Green and Destination should be Any.
OK I change the standard networks to GREEN with destination to ANY.
But I don’t understand why I should change ACCEPTER. I must change the rule to IGNORER ??? Because on my screeshot It’s configure to ACCEPTER
Here my network change :
My bad. Leave it on accept. I saw the red on your summary screen and thought you’d blocked it.
There is no problem Nick !!!
So, I will tell you tomorrow the final results 
Thank you very much, I learned a lot of things thanks to all these messages.
Have a nice day everyone !
Great !! emails work !!! thank you very much
Have a nice day
Does this mean I can redirect ports 443 and 80 to port 800 to the proxy?
