Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Using the firewall as a web proxy.

I want to configure my Sophos Firewall so that only Firefox can access the internet from a PC, and all traffic must go through the Sophos explicit web proxy (configured on port 3128). Direct HTTP/HTTPS traffic from the PC should be blocked entirely.

When I configure Firefox to use the proxy, web pages are blocked unless direct HTTP/HTTPS traffic (ports 80/443) from the PC to the WAN is allowed. This defeats the purpose of forcing traffic through the proxy. If I block ports 80 and 443, the proxy stops working even though traffic to port 3128 is explicitly allowed.

What am i missing?

Thanks



Added TAGs
[edited by: Erick Jan at 3:15 AM (GMT -8) on 25 Nov 2024]
Parents
  • Hi Jason,

    Thank you for reaching out to Sophos Community.

    Kindly try to create a firewall rule to only allow traffic via 3128, then make another firewall rule to block all (https/http) incoming traffic via port 80/443.

    Upon applying to Firefox. Kindly check the logs viewer/monitor traffic via packet capture.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • It is actually slightly more complicated.  There still needs to be a rule for HTTP/HTTPS for the proxy to talk externally - otherwise you will get the page attempting to load and then timeout with a sophos generated error page.

    In effect you have two connections
    PC <--> SFOS  <--> website

    The PC to SFOS is 3128 and needs a firewall rule.
    The SFOS to website is 80/443 and needs a firewall rule.  Web policy is not applied to traffic generated from the web proxy.

    The firewall rules are re-evaluated on the external connection.  Otherwise web proxy can be used to bypass some firewall rules (such as GeoIP counry blocks).

    Recommendation is

    Rule 1 - Service 3128.  Web policy what you want.
    Rule 2 - Service HTTP/HTTPS.  Web policy Block All.

    Note:  Transparent mode traffic will hit the Block All policy, so they get a block page.  However exceptions are still applied, therefore they will still be able to do things like get to microsoft.com (for windows updates).  You can watch the Web Filter log for connections that are using that firewall rule and determine if you want to allow/block them via exception.

    If I recall there are some other possible setups that block transparent HTTP/HTTPS more completely but are more complex.  And that customers found that some updaters and things just do not support direct mode so they found that supporting a little bit of transparent mode was nice to have.

    It is suggested that if you are doing this you may want to use WPAD/PAC to deploy the proxy settings.  That way any browser configured for proxy "automatically detect settings" picks it up.  That will also catch a few non browsers as well.

Reply
  • It is actually slightly more complicated.  There still needs to be a rule for HTTP/HTTPS for the proxy to talk externally - otherwise you will get the page attempting to load and then timeout with a sophos generated error page.

    In effect you have two connections
    PC <--> SFOS  <--> website

    The PC to SFOS is 3128 and needs a firewall rule.
    The SFOS to website is 80/443 and needs a firewall rule.  Web policy is not applied to traffic generated from the web proxy.

    The firewall rules are re-evaluated on the external connection.  Otherwise web proxy can be used to bypass some firewall rules (such as GeoIP counry blocks).

    Recommendation is

    Rule 1 - Service 3128.  Web policy what you want.
    Rule 2 - Service HTTP/HTTPS.  Web policy Block All.

    Note:  Transparent mode traffic will hit the Block All policy, so they get a block page.  However exceptions are still applied, therefore they will still be able to do things like get to microsoft.com (for windows updates).  You can watch the Web Filter log for connections that are using that firewall rule and determine if you want to allow/block them via exception.

    If I recall there are some other possible setups that block transparent HTTP/HTTPS more completely but are more complex.  And that customers found that some updaters and things just do not support direct mode so they found that supporting a little bit of transparent mode was nice to have.

    It is suggested that if you are doing this you may want to use WPAD/PAC to deploy the proxy settings.  That way any browser configured for proxy "automatically detect settings" picks it up.  That will also catch a few non browsers as well.

Children