hello I hope to post the problem in the right section,
I configured my ipfire installation to filter the sites I don’t like, to do this I followed the guide and created the two items in the DHCP management
but once activated after a few seconds the DHCP server stops and restarts only if I disable the voice
http://localhost: 81/wpad.dat
what did I do wrong
thank you
I use wpad as well and for me it works.
The difference between your configuration I my one is the check box in option scope for the covered network. I have it enabled (you not)
1 Like
if I enable the voice the dhcp server stops
I tried several times, as soon as I enable the voice the server stops, as soon as I disable it after a few seconds it re-enables
Do you get any errors in /var/log/messages?
Feb 18 10:16:38 FwI5 dhcpd: Wrote 0 deleted host decls to leases file.
Feb 18 10:16:38 FwI5 dhcpd: Wrote 0 new dynamic host decls to leases file.
Feb 18 10:16:38 FwI5 dhcpd: Wrote 6 leases to leases file.
Feb 18 10:16:38 FwI5 dhcpd: Server starting service.
Feb 18 10:16:40 FwI5 dhcpd: reuse_lease: lease age 765 (secs) under 25% threshold, reply with unaltered, existing lease for 192.168.xx.xx
Feb 18 10:16:40 FwI5 dhcpd: DHCPREQUEST for 192.168.xx.xx to xx:xx:xx:xx:xx:xx (xxxxxx) via blue0
Feb 18 10:16:40 FwI5 dhcpd: DHCPACK on 192.168.xx.xx to xx:xx:xx:xx:xx:xx (xxxxxx) via blue0
Feb 18 10:17:27 FwI5 dhcpd: /etc/dhcp/dhcpd.conf line 15: semicolon expected.
Feb 18 10:17:27 FwI5 dhcpd: ^Ioption wpad http:
Feb 18 10:17:27 FwI5 dhcpd: ^
Feb 18 10:17:27 FwI5 dhcpd: /etc/dhcp/dhcpd.conf line 27: semicolon expected.
Feb 18 10:17:27 FwI5 dhcpd: ^Ioption wpad http:
Feb 18 10:17:27 FwI5 dhcpd: ^
Feb 18 10:17:27 FwI5 dhcpd: Configuration file errors encountered – exiting
Feb 18 10:17:27 FwI5 dhcpd:
Feb 18 10:17:27 FwI5 dhcpd: If you think you have received this message due to a bug rather
Feb 18 10:17:27 FwI5 dhcpd: than a configuration issue please read the section on submitting
Feb 18 10:17:27 FwI5 dhcpd: bugs on either our web page at www.isc.org or in the README file
Feb 18 10:17:27 FwI5 dhcpd: before submitting a bug. These pages explain the proper
Feb 18 10:17:27 FwI5 dhcpd: process and the information we find helpful for debugging.
Feb 18 10:17:27 FwI5 dhcpd:
Feb 18 10:17:27 FwI5 dhcpd: exiting.
Feb 18 10:19:27 FwI5 dhcpd: Wrote 0 deleted host decls to leases file.
Feb 18 10:19:27 FwI5 dhcpd: Wrote 0 new dynamic host decls to leases file.
Feb 18 10:19:27 FwI5 dhcpd: Wrote 6 leases to leases file.
Feb 18 10:19:27 FwI5 dhcpd: Server starting service.
DHCP.conf
deny bootp; #default
authoritative;
ddns-update-style none;
option wpad code 252=text;
subnet 192.168.xx.xx netmask 255.255.255.0 #GREEN
{
range 192.168.xx.xx 192.168.xx.xx;
option subnet-mask 255.255.255.0;
option domain-name “xxx”;
option routers 192.168.xx.xx;
option domain-name-servers 192.168.xx.xx;
default-lease-time 3600;
max-lease-time 7200;
} #GREEN
subnet 192.168.xx.xx netmask 255.255.255.0 #BLUE
{
range 192.168.xx.xx 192.168.xx.xx;
option subnet-mask 255.255.255.0;
option domain-name “xxx”;
option routers 192.168.xx.xx;
option domain-name-servers 192.168.xx.xx;
default-lease-time 3600;
max-lease-time 7200;
} #BLUE
host fix0 # xxxxx
{
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.xx.xx;
}
host fix1 # xxxx
{
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.xx.xx;
}
host fix2 # xxxxxx
{
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.xx.xx;
}
include “/var/ipfire/dhcp/dhcpd.conf.local”;
I suppose, the contents of the dhcpd.conf file is without the activated wpad option. There are no missing semicolons and no uses of the wpad option.
The option is of type text. Therefore you must use apostrophes (") for the value.
thanks now it works, the quotes were missing I take this opportunity to ask you another question, if I understand correctly if I want each connected device to be subject to the rules of the urlfilter I have to integrate both the DHCP rule and the DNS rule
I ask this question because if I use crhome I am filtered if I use firefox instead I have no block
Do you use transparent or non transparent proxy?
Further you should deny direct HTTP(S) access in the firewall.
I use the non-transparent proxy
but on a pc with both Chrome and Firefox installed, if I browse a site blocked with Chrome it is blocked instead with Firefox it allows me to browse
solved, first I must say that for firefox the url filter system is passable.
even on android it is workable and not safe
however, to block firefox also you need to enter the proxy configuration and select
Automatically detect proxy settings for this network
otherwise the url filter does not work
There is a list somewhere , I forget where, but some browsers use DNS to fetch the proxy.pac and others DHCP so it is wise to setup both.
Firefox on my MacBook is auto-configuring the proxy and I haven’t told it to do so, the only setting I’ve set is in the system wide network settings for networks on macOS to tell it to auto configure proxy.
1 Like
Yea so unless you hard block any FORWARDFW to TCP/80 and TCP/443 in your Firewall (Also I think you have to explicitly tell OUTGOINGFW to allow out on TCP/80 and TCP/443 if you do this, I had to do so) then it is trivial to bypass the proxy and any device that isn’t instructed to auto config proxy may not do so. Blocking 443 is not always an option however as some programs won’t use a HTTP proxy and so they will just straight up be blocked. Discord on iOS I have found to be an example of one application. Atera RMM is another application that doesn’t work with HTTP proxies and so will be blocked if you try and hard force the use of a proxy. Unfortunately this is tricky to solve.
I think the only way to solve would be going down the path of making own IPFire dev image, compiling Squid with --ssl-enabled and also packaging in SSLBump to create a HTTPS transparent proxy, but even this isn’t a great solution because things like Apple Push Notification Service will fail to send push messages when you MitM HTTPS (They are cert pinning and detect your MitM cert). You’ll probably find banking apps and such will have tghe same failure as they should be cert pinning if they know what’s good for them. Food for thought in any case, but I am in the boat of wanting to hard force proxy but cannot do so because it will kill off vital services.