According to the Firewall Default Policy guide, by default the firewall does not allow the Blue zone to reach the Green zone. However the Network based access control guide states that “If the proxy is activated and used for both zones (blue and green), the blue zone is allowed to reach the green network via http or https, regardless of the settings of the firewall”.
See for instance here and here. The key is to block the clients from accessing the web directly with the firewall, so that they can only access allowed content through the proxy.
Apart from the IP Address Blocklists firewall plugin, which addresses only some known threats blacklists, from what I know this is the only content filtering method able to block access to websites even if the clients directly enter IP addresses in the browser, which instead would easily allow to bypass DNS based filtering methods.
In order to filter both HTTP and HTTPS traffic, you should set the proxy with Conventional mode (non-transparent mode), and then enter the proxy address in the network settings on each client machine.
For example: Like all output from green is routed to the proxy, so there is no client configuration needed and everything is forced through it ercrypted or not.
According to the reference I gave you, transparent mode works only for HTTP traffic, not for HTTPS traffic. If you find a way to make it work also for encrypted traffic, please report it here.
I wonder how I can test this and what it looks for.
Because the request URI is never encrypted, nor its GET array or even its source/destination MAC address. So if they are not using the system’s DNS it shouldn’t matter. Only the message body part of the packet is encrypted.
To get around the liability trap of bumping squid or setting up MITM, you use and intercept on the SNI header instance.
But its been a long time I messed with squid and I’m still surprised its still around.
I wasn’t aware that this was the case, but the options in webproxy–>
“Disable internal proxy access to Green from other subnets“
”Disable internal proxy access from Blue to other subnets"
effectively prevent this, don’t they?
There is some other variables too that are associated with iptables.
Problem is, it was designed for a different network type: a single network. So the only real valid use for squid would be on a red-green type or just using green or just blue with it.
Instead of it being on green or blue or both, Squid should be patched on this system between them and red. However, you can’t use red’s network directly, as that is the isp’s however, there should be a way to double nat so it has an intermediate network for squid to be on.
It should be replaced with something better, but in all aspects even the most sophisticated proxies can be bypassed because people work on finding ways to bypass them all, and share how to do it.
I would say that anyone who uses the proxy will know how to use it to restrict access and/or to log on to the internet, and not for storing internet traffic. If you look at the options, you will also see that a DNS server can be reached in green from blue.
But a footnote can never hurt.