Block HTTP and HTTPS ports applies to DMZ... by design?

Bug
1

I added a DMZ zone and started doing some testing. The transparent proxy does not function in the DMZ zone and (for good reason) the DMZ zone does not have access to the wpad.dat file. Really, why would anyone need a web proxy in their DMZ zone? The following screenshots should show what I experienced:

I can ping out, transparent http proxy is enabled, but I cannot browse:

Pasted image944×614 310 KB

No access to wpad.dat on orange or green IP:

Pasted image956×739 342 KB

I didn’t even test manually configuring proxy settings. But after unchecking the block http & https ports check-box, everything started working in the dmz zone. I think the best fix would be to have the “Block HTTP and HTTPS ports” checkbox not apply to the DMZ zone.

Is there a reason it applies to the DMZ zone that I’m not thinking of?

2

Probably an overzealous rule.
But I can’t see where’s the problem in the code. Please, could you show a section of your /etc/shorewall/rules where you find the comment “COMMENT Proxy block HTTP/HTTPS ports”?

1 Like
3

Is this what’s you’re asking for?

# Block HTTP/HTTPS from blue to net
#
?COMMENT Proxy block HTTP/HTTPS ports
REJECT blue        net    tcp    80,443
#
# Block HTTP/HTTPS from loc to net
#
?COMMENT Proxy block HTTP/HTTPS ports
REJECT loc        net    tcp    80,443
#
# Block HTTP/HTTPS from orang to net
#
?COMMENT Proxy block HTTP/HTTPS ports
REJECT orang        net    tcp    80,443
4

@alefattorini never mind about that… images started working again. :smile:

Why change from a “bug” to “support” though? If the transparent proxy doesn’t work in the DMZ zone and WPAD doesn’t work in the DMZ zone, doesn’t that make applying the “Block HTTP and HTTPS ports” check-box to the DMZ zone a bug?

Edit: I tested again with a fresh install of NethServer, fully updated - still the same problem.

5

Nevermind, I just re-updated the category!
Thanks for your tests, is there anyone who’d like to confirm this bug?

1 Like
6

I think it’s a bug.

1 Like
7

To add onto this issue, you would think that adding a host to “Hosts without proxy” under the “Web proxy” section would also bypass the “Block HTTP and HTTPS ports” option… but it doesn’t. Ports remain blocked for those hosts as well.

8

I filed an issue. @Adam, could you please confirm I got it right?

http://dev.nethserver.org/issues/3268

2 Likes
9

Looks great! Is there also a way to bypass port blocking if a host is specified in “hosts without proxy”?

10

Hosts without proxy is evaluated only when the proxy is transparent.
Thinking about it, we could probably use the same list even when not transparent.
@giacomo, what do you think?

1 Like
11

It would make sense, while making exclusions to the port blocking, to add that to the list.

I don’t know that any other bypass is required other than port blocking bypass. I assume set proxy settings to ‘manual’ or ‘none’ in those clients’ browsers that are on the exclusion list so they don’t auto discover and we’re good to go.

12

I’m not really convinced. Port blocking and proxy bypass are two different concepts…but if this the behavior users expect…ok.

13

They are in the same section after all…

Pasted image396×527 17.3 KB

1 Like
14

@Adam your bug is in QA status, would you like to verify it? /cc @dz00te
http://dev.nethserver.org/issues/3268

1 Like
15

Verified!
:smiley:

3 Likes
16

Bug and qa! great job ! :sunglasses:

2 Likes
17

Woah! I’m very proud of this new tester! Great start @Adam, thanks to @dz00te as well for his mentoring!

1 Like
18

New rpm is now released, it will be available since tomorrow!
Thank you! :smile:

2 Likes
19

Issue fixed, verified and released