Squid / Bypass Proxy for Private Address Destination

[glasi]

Hi all

I'm running OPNsense 19.1.6-amd64 with Squid 3.5.28_1 with two different subnets (LAN and OPT1).

I've put in rules on my OPNsense firewall to block traffic between the different subnets.

The problem I'm running into is that Squid as a proxy (non-transparent) is allowing traffic between the subnets skipping the firewall rules. Hence, clients in OPT1 subnet are able to access the LAN subnet and vice versa.

I miss a similar option as in pfsense's Squid to not forward traffic to Private Address Space (RFC 1918) destinations. If enabled, destinations in Private Address Space (RFC 1918) would be passed directly through the firewall, not through the proxy server.

Is there a way to configure Squid in OPNsense in a similar way? In case I manually have to include custom options in Squid, can anyone provide an example, please?

Nevertheless, how about implementing the option "Do not forward traffic to Private Address Space (RFC 1918) destinations" in OPNsense?

[glasi]

I have done some test with the following Squid configuration file:

Code: [Select]

acl rfc1918_list dst 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

http_access deny rfc1918_list
Just drop it in /usr/local/etc/squid/pre-auth/

As desired, traffic is no longer being forwarded to Private Address Space (RFC 1918) destinations.

[glasi]

fyg

I just read up a bit into pfsense Squid's source code.

And it looks like that the option "Bypass Proxy for Private Address Destination" just works for transparent proxy mode.

However, what they do in this case, they just simply set a no rdr rule in place.

Code: [Select]

$rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}";

[hbc]

Isn't there an option in webproxy gui in 2nd tab that is called acls? There you can block destinations. Add your RFC1918 networks here. No need for manual files in cli

The rule from pfsense can be simply added manually. Just add it to firewall:NAT:Port-Forwards.
And check the option to not forward. And as destination an alias holding RFC1918 networks. Of course this rule has to be before your redirect to transparent proxy rule.

[glasi]

Blacklist option in Access Control List uses URL regular expression pattern matching (url_regex).

At least I have not been able to find a working regular expression for RFC1918 networks, which also causes no unwanted side effects. I have a sympathetic ear for suitable suggestions. 

A no redirect rule in Firewall:NAT:Port-Forwards is not applicable in my use case as I am using a non-transparent proxy.

[hbc]

A no redirect rule in Firewall:NAT:Port-Forwards is not applicable in my use case as I am using a non-transparent proxy.

Ok, so I do not get your problem. Your clients have to use explicit a proxy for web access (=no firewall rule that allows direct http/s access for clients), you configured your proxy to block RFC1918. So lan and opt1 should be separated.