Ticket #3892 (accepted enhancement)
Objects' filter policy from remote IPSEC client doesn't hit the filter profile
| Reported by: | noc@… | Owned by: | jamor@… |
|---|---|---|---|
| Milestone: | 3.2 | Component: | squid |
| Severity: | normal | Keywords: | Object's Policy IPSEC |
| Cc: |
Description
Browser with proxy configured from a remote ipsec computer doesn't use the configured filter profile on a http proxy object's policy.
http request always gets accepted:
[browser]->[zywall-ipsec]->[{zentyal-ipsec}->{proxy object policy}->{filter profile}]->[web]
this however is filtering http request:
[browser]->[LAN]->[{zentyal}->{proxy object policy}->{filter profile}]->[web]
the above config also doesn't use the default filter profile.
Attachments
Change History
comment:1 Changed 15 months ago by jamor@…
- Status changed from new to accepted
- Type changed from defect to enhancement
comment:2 Changed 15 months ago by noc@…
Thank you for the response jamor.
The remote clients are behind a zywall router connected to zentyal via ipsec vpn. remote client internet pass thru zentyal http proxy with filtering using ip address as authentication. of course lan-to-wan is block on zywall and only zentyal proxy port is allowed to pass outside.
The main goal here is to use the zentyal server located in the main office to cache and filter web requests from remote offices using existing facility. thus not having addtional cost in remote offices.
---
There are no entry from dansguardian log which means request coming from ipsec doesn't get redirected to port 3129.
eth0=WAN eth1=WAN eth2=LAN
This is part of the iptable-save:
HTTP Proxy
root@proxy:~# iptables-save | grep 312 -A premodules -d 172.16.10.29/32 -i eth2 -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 3129 -A ffwdrules -p tcp -m tcp --dport 3128 -j ACCEPT -A ffwdrules -p tcp -m tcp --dport 3129 -j ACCEPT -A iexternal -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT -A iexternal -p tcp -m tcp --dport 3129 -m state --state NEW -j ACCEPT -A iglobal -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT -A iglobal -p tcp -m tcp --dport 3129 -m state --state NEW -j ACCEPT -A imodules -i eth2 -p tcp -m state --state NEW -m tcp --dport 3129 -j ACCEPT -A imodules -p tcp -m state --state NEW -m tcp --dport 3128 -j DROP
IPSEC
root@proxy:~# iptables-save | grep 10.17. -A postmodules -d 10.17.0.0/24 -o eth0 -j ACCEPT -A postmodules -d 10.17.0.0/24 -o eth1 -j ACCEPT root@proxy:~# iptables-save | grep esp -A iexternal -p esp -m state --state NEW -j ACCEPT
traffic from the IPSEC VPN doesn't get redirected to 3129 the dansguardian and don't get drop to port 3128.
---
Regards.
comment:3 follow-up: ↓ 6 Changed 15 months ago by jamor@…
Thanks for the explanation, Noc.
Until we tackle this I suggest you to add a hook to the firewall module with the needed rule. Here you have some documentation about hooks :
- http://blogs.zentyal.org%2Fjacalvo%2F2011%2F01%2F04%2Fhow-to-customize-the-configuration-files-generated-by-zentyal%2F&ei=6rxQT8KiDK3P4QT-7t2uDQ&usg=AFQjCNHEeOjoRD4hN4_3JM_IB4YXfBh16g
- www.slideshare.net%2Fexekias%2Fzentyal-customization-templates-hooks-ldap&ei=6rxQT8KiDK3P4QT-7t2uDQ&usg=AFQjCNHnt9uu4DC-MHjfbRNc7rfVgcdYYA
Regards,
Javier
comment:6 in reply to: ↑ 3 Changed 13 months ago by juan.jramos@…
Replying to jamor@…:
Thanks for the explanation, Noc.
Until we tackle this I suggest you to add a hook to the firewall module with the needed rule. Here you have some documentation about hooks :
- http://blogs.zentyal.org%2Fjacalvo%2F2011%2F01%2F04%2Fhow-to-customize-the-configuration-files-generated-by-zentyal%2F&ei=6rxQT8KiDK3P4QT-7t2uDQ&usg=AFQjCNHEeOjoRD4hN4_3JM_IB4YXfBh16g
- www.slideshare.net%2Fexekias%2Fzentyal-customization-templates-hooks-ldap&ei=6rxQT8KiDK3P4QT-7t2uDQ&usg=AFQjCNHnt9uu4DC-MHjfbRNc7rfVgcdYYA
Regards,
Javier
Hi Javier! My name is Juan, im the one who created ticket 4150.
Unfortunately, the solution is not yet clear to me. The first link is dead, and the other one doesn't talk directly about the issue.
Can you please tell us what rule(s) should we add to the firewall to get this working?
Thanks a lot
Hello Noc and thanks for your commentaries,
however I don't see the point of this, if a remote user can connect via ipsec it also can connect by itself to web resources making the restriction policies moot.
Of course if they are some intranet assets that only are accessible by proxy or if the cleint is in a restricted environment which only could connect to the ipsec server, then has sense. But this two situations are very unlikely.
I am missing something?