Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Best Practice: Web Proxy Filtering (Private Subnets)
« previous
next »
Print
Pages: [
1
]
Author
Topic: Best Practice: Web Proxy Filtering (Private Subnets) (Read 2808 times)
porigromus
Newbie
Posts: 16
Karma: 0
Best Practice: Web Proxy Filtering (Private Subnets)
«
on:
May 10, 2019, 07:51:57 pm »
I have configured the Web Proxy utilizing HTTP Transparent. I have 3 interfaces configured (LAN, OPT1 (DMZ), OPT2 (Servers). Before configuring the proxy I only permitted specific endpoints to access specific destinations on port 80 in OPT2 as well as only permitted 1 endpoint to access the WebGUI/SSH on the firewall on port 80.
Now, all devices are able to get to these destinations due to the fact the source appears the firewall now which is always permitted. What would be the best way to permit only the devices I wish to access these endpoints on 80 now since proxy their traffic now?
One way I thought of doing this is creating a a No RDR NAT rule with a destination of RFC1918 above the present NAT redirecting the 80 traffic to the firewall.
I also thought about changing the destination from ANY to !RFC1918 on the NAT that is presently redirecting 80 traffic to 127.0.0.1.
I would prefer not to circumvent the proxy though. Is there a way to create whitelist/blacklist in the web proxy to only permit specific sources to access specific destinations on RFC1918 subnets? I wasn't sure how. What is your opinion on how to best configure what I am wanting to achieve? Thanks
«
Last Edit: May 10, 2019, 07:53:33 pm by porigromus
»
Logged
porigromus
Newbie
Posts: 16
Karma: 0
Re: Best Practice: Web Proxy Filtering (Private Subnets)
«
Reply #1 on:
May 11, 2019, 09:47:40 pm »
Would you please move this to the correct forum, Web Filtering? I did not see that category initially, my apologies.
Logged
porigromus
Newbie
Posts: 16
Karma: 0
Re: Best Practice: Web Proxy Filtering (Private Subnets)
«
Reply #2 on:
May 12, 2019, 05:53:40 am »
I went ahead and created a no rrd nat rule above the other for destinatin RFC1918. I haven't gotten any responses to my posts. I really hope I haven't put things in an incorrect format or worded things in a way that is affecting me getting any help.
Seems other posts have some responses. New here, please point out my mistakes if there are any. Thanks!
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: Best Practice: Web Proxy Filtering (Private Subnets)
«
Reply #3 on:
May 12, 2019, 10:18:43 am »
Check this thread:
https://forum.opnsense.org/index.php?topic=12551.0
I think it is about the same "problem.
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
porigromus
Newbie
Posts: 16
Karma: 0
Re: Best Practice: Web Proxy Filtering (Private Subnets)
«
Reply #4 on:
May 13, 2019, 12:49:43 am »
Thanks for the response. I did stumble upon that post. I made my post after just to get an idea of how others are accomplishing this and what the best solution is. At this point I believe that seems like the best option, deny rfc1918 in an ACL via a .conf file in squid pre-auth and then no rdr for rfc1918 in a NAT rule above the proxy NAT.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Best Practice: Web Proxy Filtering (Private Subnets)