OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: spetrillo on December 15, 2020, 12:16:54 am
-
Hello all,
I have setup my proxy firewall rules but wanted to make sure the order of my rules is correct. Do I need to move the default allow to the bottom?
Thanks,
Steve
-
Yes, otherwise your proxy rule won't be used.
-
Thanks...
Ok I have now added rules for transparent proxy capabilities. Here is a screenshot of the new rules layout. Am I ok in the order they are in now?
-
That does not look like configurations for a transparent proxy.
https://docs.opnsense.org/manual/proxy.html
"The transparent mode means all requests will be diverted to the proxy without any configuration on your client."
Look into the ports you would need to change. Your configuration is using the default proxy ports which would not be correct for transparent.
Is there a particular reason for the first rule? I'm guessing you would have issues with your network.
-
Is there a particular reason for the first rule?
FW rule order is very important for the proxy to function correctly https://docs.opnsense.org/manual/firewall.html#processing-order (https://docs.opnsense.org/manual/firewall.html#processing-order), this is not clearly conveyed in the link you attached which normally causes confusion, to put it simply when there's more than one rule that deal with the same thing the first gets matched and the others discarded -that's the default action- (for example, let's say we have 2 rules 1- block connection to "proxy" and 2-Allow Connection to "proxy" if 1 comes before 2 -aka on top of it- then the connection to the proxy will be blocked).
how is this relevant to proxy config then? usually, when you use a proxy you don't want clients to skip it, so you need to make sure that they can only use the proxy, this is done by allowing connection to proxy ports (3128-9 default) and denying HTTP(S) ofc it doesn't have to be the first rules you can add rules that deal with other stuff (like DNS, VPN, etc) before it.
Also for a Transparent proxy to work you also need to config other stuff like port forward, but that's another topic.
-
Ok I have now added rules for transparent proxy capabilities. Here is a screenshot of the new rules layout. Am I ok in the order they are in now? (http://Ok I have now added rules for transparent proxy capabilities. Here is a screenshot of the new rules layout. Am I ok in the order they are in now?)
I'd remove "the Default Allow all" so that users can only connect to the internet through the proxy only also you don't need to put the 3128-9 ports in separate rules a single one is enough.