"Selective network" filter breaks access to LAN web devices

I’ve just started using the web proxy and encountered the same issue as this: Anomaly detections, selectively announced networks, no access to Fritzbox
Namely, enabling the selectively-announced networks filter breaks access to devices on the LAN. In my case this includes the IPFire web interface / proxy interface, plus my print server, wireless access point etc.
I can understand why it’s a good idea to block non globally-routable IP ranges if they are detected on the outside interface, but should the local LAN IP range as applied to the green (or blue) network not be an exception? The IPFire already has that in its routing table, so if I try to connect to my print server on e.g. 192.168.1.7 it already knows this is not a device on the internet.

Hi,

just to ensure I understood your setup correctly: All web requests in your network will go through the web proxy, even if the destination is in the same network?

Hm, it depends.

On the one hand, in your setup such an exception would be helpful to prevent disruptions caused by this functionality. On the other hand, with regards to DNS rebinding attacks, it might be a bad idea to exclude private networks locally in use.

(Trying to prevent DNS rebinding attacks via the DNS resolver in IPFire would be possible, too, but generates much more collateral damage if IPFire legitimately makes DNS queries to local destinations, such in a corporate network. Therefore, we cannot enable this globally, and I doubt making this configurable would be helpful. :expressionless: )

As a workaround, you could either …

  • configure your network to send HTTP(S) requests to local destinations directly, not via the web proxy (bad idea in terms of security)
  • configure a local Squid ACL to bypass the anomaly detection for destinations located in IP ranges you locally use. /var/ipfire/proxy/advanced/acls/include.acl is the right place to include such ACLs, they won’t get overwritten by the WebIF, and will be included in /etc/squid/squid.conf if the web proxy is reloaded or restarted.

Thanks, and best regards,
Peter Müller

2 Likes

Thank you for the information.