Squid / Bypass Proxy for Private Address Destination

Started by glasi, April 25, 2019, 07:25:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 25, 2019, 07:25:41 PM Last Edit: April 26, 2019, 07:32:50 PM by glasi
Hi all

I'm running OPNsense 19.1.6-amd64 with Squid 3.5.28_1 with two different subnets (LAN and OPT1).

I've put in rules on my OPNsense firewall to block traffic between the different subnets.

The problem I'm running into is that Squid as a proxy (non-transparent) is allowing traffic between the subnets skipping the firewall rules. Hence, clients in OPT1 subnet are able to access the LAN subnet and vice versa.

I miss a similar option as in pfsense's Squid to not forward traffic to Private Address Space (RFC 1918) destinations. If enabled, destinations in Private Address Space (RFC 1918) would be passed directly through the firewall, not through the proxy server.

Is there a way to configure Squid in OPNsense in a similar way? In case I manually have to include custom options in Squid, can anyone provide an example, please?

Nevertheless, how about implementing the option "Do not forward traffic to Private Address Space (RFC 1918) destinations" in OPNsense?
April 26, 2019, 06:44:41 PM #1
I have done some test with the following Squid configuration file:

Code Select
acl rfc1918_list dst 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

http_access deny rfc1918_list

Just drop it in /usr/local/etc/squid/pre-auth/

As desired, traffic is no longer being forwarded to Private Address Space (RFC 1918) destinations.
April 26, 2019, 07:30:28 PM #2
fyg

I just read up a bit into pfsense Squid's source code.

And it looks like that the option "Bypass Proxy for Private Address Destination" just works for transparent proxy mode.

However, what they do in this case, they just simply set a no rdr rule in place.

Code Select
$rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}";
April 27, 2019, 09:45:10 AM #3
Isn't there an option in webproxy gui in 2nd tab that is called acls? There you can block destinations. Add your RFC1918 networks here. No need for manual files in cli

The rule from pfsense can be simply added manually. Just add it to firewall:NAT:Port-Forwards.
And check the option to not forward. And as destination an alias holding RFC1918 networks. Of course this rule has to be before your redirect to transparent proxy rule.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
April 27, 2019, 02:41:11 PM #4
Blacklist option in Access Control List uses URL regular expression pattern matching (url_regex).

At least I have not been able to find a working regular expression for RFC1918 networks, which also causes no unwanted side effects. I have a sympathetic ear for suitable suggestions.  :)

A no redirect rule in Firewall:NAT:Port-Forwards is not applicable in my use case as I am using a non-transparent proxy.
April 27, 2019, 04:23:36 PM #5
Quote from: glasi on April 27, 2019, 02:41:11 PM
A no redirect rule in Firewall:NAT:Port-Forwards is not applicable in my use case as I am using a non-transparent proxy.
Ok, so I do not get your problem. Your clients have to use explicit a proxy for web access (=no firewall rule that allows direct http/s access for clients), you configured your proxy to block RFC1918. So lan and opt1 should be separated.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
Print
Go Up Pages1
User actions