Hi! I’m trying to achieve this configuration: essentially all the traffic in the network should pass the content filtering in the proxy, assume I have control over the clients. All not proxied traffic should be blocked by default.

I know not all network traffic can pass through proxy, but I’m not sure I understand how actually all of this work.

My UFW firewall configuration is the following:

To                         Action      From
--                         ------      ----
3128                       ALLOW OUT   Anywhere                  
53                         ALLOW OUT   Anywhere

53 is for DNS requests (that cannot pass through the proxy), even if I use DOH this port needs to be open for bootstrapping.

3128 is Squid proxy port.

I’m assuming the following:

client -> dns request (53) / cannot be handled by the proxy -> dns response client -> proxy (all ports that the proxy can handle) -> http/https/ftp response client -> blocked (all other ports)

But from UFW logs it looks like the client is trying to make requests (eg. https requests) directly through port 443, instead that passing from 3128… Maybe I’m getting something wrong here on how Proxies work.

Do you have any suggestion?

    • frezik@midwest.social
      2·
      5 days ago

      DNS over HTTPS bypasses pihole, and you have to do some effort to make it work. DNS in general is such a mess.

    • dontblink@feddit.itOPEnglish
      1·
      5 days ago

      I need to block IPs and unauthorized connections that are not http/https as well, I know about DNS filtering but it’s not what I am trying to achieve.

  • jarfil@beehaw.org
    1·
    5 days ago

    Is this on the same machine, or multiple machines?

    The typical/easy design for an outgoing proxy, would be to set the proxy on one machine, configure the client on another machine to connect to the proxy, and drop any packets from the client that aren’t targeted at the proxy.

    For a transparent proxy, all connections coming from a client could be rewritten via NAT to go to the proxy, then the proxy can decide which ones it can handle or is willing to.

    If you try to fold this up into a single machine, I’d suggest using containers to keep things organized.

    • dontblink@feddit.itOPEnglish
      1·
      5 days ago

      Didn’t think about the 2 machines thing. But yeah it looks definitely easier than setting a transparent proxy… But I guess all of this has to be on the same network, I cannot use an external server to which I connect to via wan because at that point the connections would be already need to be unproxied going out right?

      But can’t your setup be done on the same machine with a firewall?