Hi! I’m trying to achieve this configuration: essentially all the traffic in the network should pass the content filtering in the proxy, assume I have control over the clients. All not proxied traffic should be blocked by default.
I know not all network traffic can pass through proxy, but I’m not sure I understand how actually all of this work.
My UFW firewall configuration is the following:
To Action From
-- ------ ----
3128 ALLOW OUT Anywhere
53 ALLOW OUT Anywhere
53 is for DNS requests (that cannot pass through the proxy), even if I use DOH this port needs to be open for bootstrapping.
3128 is Squid proxy port.
I’m assuming the following:
client -> dns request (53) / cannot be handled by the proxy -> dns response client -> proxy (all ports that the proxy can handle) -> http/https/ftp response client -> blocked (all other ports)
But from UFW logs it looks like the client is trying to make requests (eg. https requests) directly through port 443, instead that passing from 3128… Maybe I’m getting something wrong here on how Proxies work.
Do you have any suggestion?
Is this on the same machine, or multiple machines?
The typical/easy design for an outgoing proxy, would be to set the proxy on one machine, configure the client on another machine to connect to the proxy, and drop any packets from the client that aren’t targeted at the proxy.
For a transparent proxy, all connections coming from a client could be rewritten via NAT to go to the proxy, then the proxy can decide which ones it can handle or is willing to.
If you try to fold this up into a single machine, I’d suggest using containers to keep things organized.
If you simply want to block certain sites, why not use Pihole?
DNS over HTTPS bypasses pihole, and you have to do some effort to make it work. DNS in general is such a mess.
