Block HTTP and HTTPS ports applies to DMZ... by design?


(Adam) #1

I added a DMZ zone and started doing some testing. The transparent proxy does not function in the DMZ zone and (for good reason) the DMZ zone does not have access to the wpad.dat file. Really, why would anyone need a web proxy in their DMZ zone? The following screenshots should show what I experienced:

I can ping out, transparent http proxy is enabled, but I cannot browse:

No access to wpad.dat on orange or green IP:

I didn’t even test manually configuring proxy settings. But after unchecking the block http & https ports check-box, everything started working in the dmz zone. I think the best fix would be to have the “Block HTTP and HTTPS ports” checkbox not apply to the DMZ zone.

Is there a reason it applies to the DMZ zone that I’m not thinking of?


(Filippo Carletti) #2

Probably an overzealous rule.
But I can’t see where’s the problem in the code. Please, could you show a section of your /etc/shorewall/rules where you find the comment “COMMENT Proxy block HTTP/HTTPS ports”?


(Adam) #3

Is this what’s you’re asking for?

# Block HTTP/HTTPS from blue to net
#
?COMMENT Proxy block HTTP/HTTPS ports
REJECT blue        net    tcp    80,443
#
# Block HTTP/HTTPS from loc to net
#
?COMMENT Proxy block HTTP/HTTPS ports
REJECT loc        net    tcp    80,443
#
# Block HTTP/HTTPS from orang to net
#
?COMMENT Proxy block HTTP/HTTPS ports
REJECT orang        net    tcp    80,443

(Adam) #4

@alefattorini never mind about that… images started working again. :smile:

Why change from a “bug” to “support” though? If the transparent proxy doesn’t work in the DMZ zone and WPAD doesn’t work in the DMZ zone, doesn’t that make applying the “Block HTTP and HTTPS ports” check-box to the DMZ zone a bug?

Edit: I tested again with a fresh install of NethServer, fully updated - still the same problem.


(Alessio Fattorini) #5

Nevermind, I just re-updated the category!
Thanks for your tests, is there anyone who’d like to confirm this bug?


(Filippo Carletti) #6

I think it’s a bug.


(Adam) #7

To add onto this issue, you would think that adding a host to “Hosts without proxy” under the “Web proxy” section would also bypass the “Block HTTP and HTTPS ports” option… but it doesn’t. Ports remain blocked for those hosts as well.


Ports blocked for hosts in "Hosts without proxy"
(Filippo Carletti) #8

I filed an issue. @Adam, could you please confirm I got it right?

http://dev.nethserver.org/issues/3268


(Adam) #9

Looks great! Is there also a way to bypass port blocking if a host is specified in “hosts without proxy”?


(Filippo Carletti) #10

Hosts without proxy is evaluated only when the proxy is transparent.
Thinking about it, we could probably use the same list even when not transparent.
@giacomo, what do you think?


(Adam) #11

It would make sense, while making exclusions to the port blocking, to add that to the list.

I don’t know that any other bypass is required other than port blocking bypass. I assume set proxy settings to ‘manual’ or ‘none’ in those clients’ browsers that are on the exclusion list so they don’t auto discover and we’re good to go.


(Giacomo Sanchietti) #12

I’m not really convinced. Port blocking and proxy bypass are two different concepts…but if this the behavior users expect…ok.


(Adam) #13

They are in the same section after all…


(Alessio Fattorini) #14

@Adam your bug is in QA status, would you like to verify it? /cc @dz00te
http://dev.nethserver.org/issues/3268


(Adam) #15

Verified!
:smiley:


#16

Bug and qa! great job ! :sunglasses:


(Alessio Fattorini) #17

Woah! I’m very proud of this new tester! Great start @Adam, thanks to @dz00te as well for his mentoring!


(Giacomo Sanchietti) #18

New rpm is now released, it will be available since tomorrow!
Thank you! :smile:


(Alessio Fattorini) #19

Issue fixed, verified and released