OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: bimbar on November 10, 2021, 08:38:24 pm

Title: How do I restrict the proxy from allowing access to local networks?
Post by: bimbar on November 10, 2021, 08:38:24 pm

Typically my firewall sits at the center of many local networks. Some of them should be accessible to clients, some of them not.
I can restrict that using the firewall.

But if I enable the web proxy, that circumvents the firewall? How to I prevent clients from accessing otherwise protected internal networks by using the proxy?

Title: Re: How do I restrict the proxy from allowing access to local networks?
Post by: fabian on November 13, 2021, 06:16:19 pm

Via a custom ACL. That is AFAIK not available in the Gui

Title: Re: How do I restrict the proxy from allowing access to local networks?
Post by: crissi on December 22, 2021, 12:45:53 pm

Hi,

i have exactly the same problem. As you mentioned custom acl are not available in the Gui, means to get this correct to work, i have also to tamper again within the squid.conf??

Thx!

Title: Re: How do I restrict the proxy from allowing access to local networks?
Post by: Cuffs on January 02, 2022, 04:14:51 pm

Quote from: fabian on November 13, 2021, 06:16:19 pm

Via a custom ACL. That is AFAIK not available in the Gui

Much too complicated IMO

I do that via a FW alias list containing all the local subnets and use that in the NAT rule pointing to squid as inverted destination.

So the allowed source can access all the external adresses via squid, but is not NATed when the destination is a local LAN IP.
(I also put Firehol etc. block lists there)

br
Christian

Title: Re: How do I restrict the proxy from allowing access to local networks?
Post by: bimbar on January 03, 2022, 06:28:51 pm

It should then still be possible to use the proxy explicitly.

Title: Re: How do I restrict the proxy from allowing access to local networks?
Post by: Cuffs on January 04, 2022, 09:19:32 am

Yes

Title: Re: How do I restrict the proxy from allowing access to local networks?
Post by: mimugmail on January 04, 2022, 10:11:12 am

I believe the business edition also has a plugin for this.

Title: Re: How do I restrict the proxy from allowing access to local networks?
Post by: crissi on January 10, 2022, 03:54:59 pm

Quote

I do that via a FW alias list containing all the local subnets and use that in the NAT rule pointing to squid as inverted destination.

Hi Christian,
do you just change the redirect traffic rules under NAT Portforward for this?

Thx!

Title: Re: How do I restrict the proxy from allowing access to local networks?
Post by: Cuffs on January 13, 2022, 07:05:26 am

Hi

Yes, the NAT rules that redirect to the proxy

Title: Re: How do I restrict the proxy from allowing access to local networks?
Post by: crissi on January 13, 2022, 06:02:18 pm

Hi,

thanks will try this