How to Disable Access from Blue to Green

Helo @ all,

I dont understand why some Connections work.
My System is a Hardware-Appliance from Lighning-Wire Labs.
Interfaces are Green-Blue-Orange-Red.

A Non-Tranparent Proxy runs on the green Interface.
Allowed Subnets are some from 192.168.10.0/24 to 192.168.40.0/24
But some Subnets are not allowed. For example 192.168.110.0/24

On the Blue Interface there runs a Transparent-Proxy.
The Subnet is only 192.168.254.0/24 with DHCP.
See the Picture:

The Problem is that Clients from the Blue-Lan (192.168.254.0/24) can connect to HTTP-Sites in Subnets from Green which are not
allowed to access the Internet from green (for example 192.168.110.0/24).

When i put the Subnet to the allowed Subnets in the “Network-allowed Accesscontrol” then the Clients where blocked.

How can I disable the Access from Blue-Lan to Clients in the Green-Lan who are not allowed to access the internet?

Thank You.

Hi,

first, welcome to the IPFire community. :slight_smile:

Just to have it mentioned: You are aware of the transparent proxy not being able to work with HTTPS sites, are you?

You could group them so you do not have to write forty lines (I can recommend sipcalc for such calculations):

  • 192.168.10.0/23
  • 192.168.12.0/22
  • 192.168.16.0/20
  • 192.168.32.0/21
  • 192.168.40.0/24

Since I am not sure whether I have understood your problem, I try repeating it in my own words:

There are some networks within GREEN which are not allowed to access the internet, such as 192.168.110.0/24. You want to have the BLUE network (192.168.254.0/24) to have access to the internet, but it is also able to reach some GREEN networks through the proxy.

According to the documentation, this should not happen anymore if you ticked the “Disable internal proxy access from Green to other subnets” and “Disable internal proxy access from Blue to other subnets” boxes - which you did.

I am puzzled to hear this still works. Could you post the content of the file /var/ipfire/proxy/squid.conf (make sure to redact confidential information in the first place) here?

Thanks, and best regards,
Peter Müller

1 Like

Hello,
Thanks for your answer.

Just to have it mentioned: You are aware of the transparent proxy not being able to work with HTTPS sites, are you?

==> What do you mean with “…Not being able to work with HTTPS…”?
The BlueLAN is an open WLAN with no restriction.

You could group them so you do not have to write forty lines (I can recommend sipcalc for such calculations):

==> There are not all allowed in this area. For example.

192.168.10.0/24 allowed
192.168.11.0/24 NOT allowed
192.168.12.0/24 allowed
192.168.13.0/24 NOT allowed
192.168.14.0/24 NOT allowed
192.168.15.0/24 NOT allowed
192.168.16.0/24 NOT allowed
192.168.17.0/24 NOT allowed
192.168.18.0/24 NOT allowed
192.168.19.0/24 NOT allowed
192.168.20.0/24 NOT allowed
192.168.21.0/24 NOT allowed
192.168.22.0/24 allowed
192.168.23.0/24 NOT allowed
192.168.24.0/24 allowed
192.168.25.0/24 NOT allowed
and so on … and that vary.

Now to my Question.
Your description is right.
We want to have accesst from Blue to internet, but the BlueLAN should not have access to Green !!

Here is the Squid.conf:

# Do not modify '/var/ipfire/proxy/squid.conf' directly since any changes
# you make will be overwritten whenever you resave proxy settings using the
# web interface!
#
# Instead, modify the file '/var/ipfire/proxy/advanced/acls/include.acl' and
# then restart the proxy service using the web interface. Changes made to the
# 'include.acl' file will propagate to the 'squid.conf' file at that time.

shutdown_lifetime 5 seconds
icp_port 0

http_port 192.168.12.7:3128
http_port 192.168.254.1:3128
http_port 192.168.254.1:3129 intercept


cache_effective_user squid
umask 022

pid_filename /var/run/squid.pid

cache_mem 2 MB
error_directory /usr/lib/squid/errors/de

digest_generation off

acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 8443 # https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 563 # snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3128 # Squids port (for icons)
acl Safe_ports port 53  # DNS
acl Safe_ports port 4443 # Personal Port

acl IPFire_http  port 81
acl IPFire_https port 444
acl IPFire_ips              dst 192.168.12.7
acl IPFire_networks         src "/var/ipfire/proxy/advanced/acls/src_subnets.acl"
acl IPFire_servers          dst "/var/ipfire/proxy/advanced/acls/src_subnets.acl"
acl IPFire_green_network    src 192.168.12.0/24
acl IPFire_green_servers    dst 192.168.12.0/24
acl IPFire_blue_network     src 192.168.254.0/24
acl IPFire_blue_servers     dst 192.168.254.0/24
acl IPFire_banned_ips       src "/var/ipfire/proxy/advanced/acls/src_banned_ip.acl"
acl IPFire_unrestricted_ips src "/var/ipfire/proxy/advanced/acls/src_unrestricted_ip.acl"
acl CONNECT method CONNECT
maximum_object_size 4096 KB
minimum_object_size 0 KB

cache_dir aufs /var/log/cache 50 16 256
request_body_max_size 0 KB
access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none

strip_query_terms off

log_mime_hdrs off
forwarded_for off
via off

acl within_timeframe time MTWHFAS 00:00-24:00


#Access to squid:
#local machine, no restriction
http_access allow         localhost

#GUI admin if local machine connects
http_access allow         IPFire_ips IPFire_networks IPFire_http
http_access allow CONNECT IPFire_ips IPFire_networks IPFire_https

#Deny not web services
http_access deny          !Safe_ports
http_access deny  CONNECT !SSL_ports
#Set download throttling
delay_pools 2
delay_class 1 3
delay_class 2 3
delay_parameters 1 -1/-1 -1/-1 -1/-1
delay_parameters 2 512000/1024000 -1/-1 -1/-1
delay_access 1 deny  IPFire_ips
delay_access 1 deny  IPFire_unrestricted_ips
delay_access 1 allow IPFire_green_network
delay_access 1 deny  all
delay_access 2 deny  IPFire_ips
delay_access 2 deny  IPFire_unrestricted_ips
delay_access 2 allow IPFire_blue_network
delay_access 2 deny  all
delay_initial_bucket_level 100

#Prevent internal proxy access to Green except IPFire itself
http_access deny IPFire_green_servers !IPFire_ips !IPFire_green_network

#Prevent internal proxy access from Blue except IPFire itself
http_access allow IPFire_blue_network IPFire_blue_servers
http_access deny  IPFire_blue_network !IPFire_ips IPFire_servers

#Set custom configured ACLs
http_access deny  IPFire_banned_ips
http_access allow IPFire_unrestricted_ips
http_access allow IPFire_networks within_timeframe
http_access deny  all

#Strip HTTP Header
request_header_access X-Forwarded-For deny all
reply_header_access X-Forwarded-For deny all
request_header_access Via deny all
reply_header_access Via deny all

httpd_suppress_version_string on

visible_hostname "the_Hostname"

cache_mgr "Some-EMailaddress"

max_filedescriptors 16384

url_rewrite_program /usr/sbin/redirect_wrapper
url_rewrite_children 2 startup=2 idle=2 queue-size=64

Thanks, and BR