Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Cuffs

Pages: 1 [2]

21.1 Legacy Series / Re: Transparent Proxy bypasses WAN reject rule

« on: March 06, 2021, 07:32:45 am »

Just to close this in case someone finds it via google.

False positive.
Our company's IT department implemented DAC via tunnel on our notebooks without me knowing.

That was why WAN block rules didn't seem to work on OPNSense - my laptop was using the company proxy.

Web Proxy Filtering and Caching / Re: Source-based remote ACLs

« on: February 26, 2021, 09:05:22 pm »

I didn‘t find one, no.

The only way via GUI seems to be User authentication, but then everyone has to enter credentials all the time.

But it isn‘t THAT hard. I figured it out and I‘m not a squid/firewall expert.

Try the code above with one source ip.
I think you have what you need.
Use tail -f /var/log/squid/access.log to look whats happening

21.1 Legacy Series / Re: Transparent Proxy bypasses WAN reject rule

« on: February 26, 2021, 09:00:43 pm »

I meant on the WAN side.

I would have imagined:
Client - NAT/Redirect - Proxy - WAN Rules - Internet

It seems to be:
Client - NAT/Redirect - Proxy - Internet

Web Proxy Filtering and Caching / Re: Source-based remote ACLs

« on: February 25, 2021, 09:46:52 pm »

Hi

I use custom configfiles in /usr/local/etc/squid/pre-auth to control which machine is allowed what.
eg. my TV is allowed Netflix, but not some survey sites etc.

# ACL to define the source IP
acl nas src 10.0.0.1

# Allowed addresses (this could also point to a file i think)
acl nas_allow ssl::server_name raw.githubusercontent.com .snapcraft.io .ubuntu.com
acl nas_allow_80 dstdomain raw.githubusercontent.com .snapcraft.io .ubuntu.com

# this denies an IP address in the URL after the first ssl bump - that (for me) was tricky to figure out
acl nas_deny ssl::server_name_regex [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}

# allow access to lists, deny everything else
http_access allow nas nas_allow
http_access allow nas nas_allow_80
http_access deny nas !nas_deny

br
Christian

21.1 Legacy Series / Transparent Proxy bypasses WAN reject rule

« on: February 25, 2021, 09:26:52 pm »

Hi

I thought after using OPNSense for a year and being very happy with it I'll register here.
Maybe my post is of help/contribution, or maybe I'm just misunderstanding something..

I use Web Proxy in transparent mode - so far so good.
I also added a Rule to reject outgoing IPv4 TCP/UDP any to a Blocklist of DNS via HTTPS servers to port 443.

When doing telnet 9.9.9.9 443 on OPNSense itself the rule kicks in and blocks traffic.
But from a client via the proxy this works. So it seems Squid is bypassing outgoing rules on the WAN interface.

Is this as intended?

Thank you
Christian

Pages: 1 [2]