How To Fix Proxy Interfering With Various Services

I am pretty new to setting up a firewall. I have been using Untangle for the last two years for my home network, and am attempting to make the switch to IPFire. I have four children, and one of the main purposes of setting up a firewall is to control their Internet usage. My two main concerns are limiting the times of day they’re on and URL filtering. We have had problems with both in the past.

I have the time limits thing figured out, and I have the URL filtering somewhat functional but I keep running into trouble with various programs not working. Browsing the Internet is fine, but my kids can’t connect to their email while using the proxy. My shared folder isn’t accessible to them anymore. They can’t play Bloons6TD co-op anymore (which is the biggest complaint on their end).

I was able to get Spotify working by opening port 4070 in the firewall. Similarly, opening 5222 and 5269 allows access to XMPP. However, when the email and file sharing weren’t going through opening ports 993, 465, and 2049 didn’t do anything to help.

The game is another can of worms. When I go onto their tech support page it says to allow access to a couple of URLs. I don’t know how to do that within the firewall. Do I do this through the URL Filter page? That didn’t seem to work. I also tried looking up the IP addresses that those URLs resolved to and adding those to the firewall rules with no noticeable improvement.

I understand that these questions are probably covered somewhere, but I looked through the Wiki and did a search here and didn’t find them. Please be patient. I’m not a network guru, just a dad with kids that is trying his best to protect them.

I should add that we’re all using Fedora, and I’m setting their proxy settings to use the IPFire proxy for http and https. When I disable the proxy on their machines all of these things start working again.

I will not give you a direct answer as this is too much related to the details of your personal situation, but I will walk through my mental framework when I faced similar issues in my network.

You have two ports, among others, relevant to a caching service: 80 for HTTP and 443 for HTTPS. Let’s assume you have correctly configured a squid server in IPFire and everything works correctly. What’s next?

Next step is to make sure at the firewall level that all the traffic on those two ports (or possibly more) goes through the proxy server. Since a transparent proxy can’t be done on port 443 on IPFire, the only reasonable and general way to do this is to block all the traffic directed to the red interface over those ports. This way the machines connected to your LAN can’t access any web service unless properly configured to use the proxy (e.g, your children will not be able to fool their dad by learning where the proxy server is set in the browser configuration).

Next step is to configure those clients. First and foremost, those are any web browser in your LAN, but it can be anything else that uses port 80 and 443. You do that for all this kind of software running in any machine of your LAN.

Next, what about a web browser that needs to connect to a web server running on a non standard web port, or a web app that connects to a FTP server or a SMTP server? You need to tell squid to connect to those ports on behalf of its clients by using ACLs, Access Control Lists.

Now, everything should work, but I know by experience that even with a correct ACL setting, some web app or some client operating on a SSL connection simply cannot handle a proxy server, even when squid does all the correct caching on the required port. In that case you need to do two things:

• first create a white list rule in your firewall allowing the traffic to port 443, but restricted only to the outbound traffic directed to a specific IP address or a group of IP addresses (no URLs here as they are not allowed, hence you are SOL if this can’t be determined (*) ). This rule has to come before the general black list on all outbound traffic on port 443;

• second remove from the client setting the entry that instructs the use of the proxy. If this software is a web browser, then your client has to use one web browser for this corner case and a different web browser for everything else. I never found a better solution to this problem.

I also would like to point out the difference between allowing traffic on a given port on the firewall, where the client connects directly to a server on that port on the red interface, and a client that uses a caching service. In the latter, it is the proxy that has to connect to a server on that port on behalf of its client and cache the bits of that traffic for the client to retrieve. Hence, ACLs.

(*) if the IP address is not documented, you can open temporarily the firewall to this traffic and look at the logs to find the IP address; you are SOL only if this IP changes every time.

Thank you so much. I had honestly ignored the ACLs because I had no idea what they were. After reading the article you linked I think I have a basic understanding, and definitely have a direction to search in. I never used anything like that on Untangle, so didn’t even know where to start looking. I’ll try down this path and come ask more questions when I inevitably screw it up.

I managed to get most things working. Just trying to figure out IP addresses for a couple last stragglers. The ACLs turned out to be the key, and cfusco’s explanation on how to limit access to specific IPs answered my next question. Thank you so much for your help.

Thank you for sharing your experience. I appreciate it. I wanted to add something I forgot to mention in my (already) long post.

It is important to keep in mind the difference between firewall rules and ACL rules. For example, say you want to prevent access to IPFire Web User Interface to anyone in your home network but your personal laptop. You can create a rule in the firewall so that only your own IP address (say 192.168.1.100) can connect to https://ipfire.localdomain:444 . You do that and you think its is done, right? Well, no. Anyone can still connect because the proxy will do it for them. You need to secure your network using ACLs as well.

My point is, always keep in mind the difference between the two systems. As usual, the devil is always in the details, and therefore it is important to understand well the details.