Add IPv6 support to squid
Missing IPv6 support in the squid package allows traffic to escape intended inspection and apparently also the firewall rules (which should not allow the bypass either but still apparently do). The MITM rules configured by the Squid package configuration process do not appear to pick up IPv6 traffic; it looks like these interception ACLs are only doing "inet4" and not "inet6" or similar:
rdr on igb0_vlan50 inet proto tcp from any to ! (igb0_vlan50) port = http
> 127.0.0.1 port 3128 10.200.5.5:57242 FIN_WAIT_2:FIN_WAIT_2
rdr on igb0_vlan50 inet proto tcp from any to ! (igb0_vlan50) port = https -> 127.0.0.1 port 3129
pass in quick on igb0_vlan50 proto tcp from any to ! (igb0_vlan50) port = 3128 flags S/SA keep state
pass in quick on igb0_vlan50 proto tcp from any to ! (igb0_vlan50) port = 3129 flags S/SA keep state
igb0_vlan50 tcp 127.0.0.1:3128 (126.96.36.199:80) <
igb0_vlan50 tcp 127.0.0.1:3128 (188.8.131.52:80) <- 10.200.5.5:45536 FIN_WAIT_2:FIN_WAIT_2
IPv6 is supported upstream and so is BSD's interception system for IPv6: http://wiki.squid-cache.org/Features/IPv6 . This issue prevents me from realizing the intended use case of monitoring and filtering outbound traffic from a test lab. At present, the IPv6 traffic leaks through due to the missing rules even if the normal firewall policies on the interface block the traffic, and dual-stack is intentionally used in the test lab to provide the most complete realistic environment possible.
Further context from email discussion w/ Jim Thompson and Jim Pingle:
"As far as I'm aware the squid package has not claimed to support IPv6,
so this is expected. To add that in we would need a feature request on
redmine. There aren't any IPv6 options in the squid GUI.
Since the source address would be lost in the process, attempting to
intercept IPv6 is much more disruptive than its IPv4 counterpart, which
usually has NAT hiding the source. To work around that requires tproxy
or similar in both squid and the host OS (read: FreeBSD). We have squid
compiled with TP_PF, at least on 2.4, but I don't know that anyone has
attempted to get that working. If it actually does work in
FreeBSD+pf+squid then it may be possible to add that feature, but it
would take development and testing time.
#1 Updated by Jim Pingle over 3 years ago
- Subject changed from PFSense Squid IPv6 Support Does Not Work, Allows Full HTTP Inspection Bypass to Add IPv6 support to squid
- Assignee deleted (
Corrected subject - This is not a "bypass" in the way that is stated. The squid package only supports IPv4 currently. If the network is configured for IPv6, that traffic is not inspected, as squid does not support IPv6.
If squid is a hard requirement, then IPv6 must be disabled/blocked until IPv6 support is added to squid.
It may be unexpected, but if it happens, it happens due to a misconfiguration/misunderstanding on the administrator's part, not a bug/vulnerability.
#2 Updated by Kill Bill over 3 years ago
A couple of notes on this: The only part of Squid working with IPv6 is the reverse proxy (though, that's not advertised anywhere in the GUI, plus requires explicit manual steps in the GUI to bind to IPv6.)
As for the "normal" proxy, this ain't doable at all with current underlying pfSense code. The NAT used for transparent IPv4 proxy won't work, and there's nothing to hook into regarding tproxy/divert sockets or similar.
#3 Updated by Matthew Hall over 3 years ago
Regarding the comment, "The NAT used for transparent IPv4 proxy won't work, and there's nothing to hook into regarding tproxy/divert sockets or similar." The page http://wiki.squid-cache.org/Features/IPv6 says otherwise about Squid's own IPv6 capabilities. It states that, "BSD divert sockets provide TPROXY equivalent functionality for recent OpenBSD and derivative systems. Support for tproxy mode on BSD was added to Squid-3.4."
Stating, "This is not a "bypass" in the way that is stated." doesn't seem to fully capture the spirit of this either. There is a bypass present here, because the firewall rules didn't allow the leaking IPv6 traffic through, yet it still leaked through wide-open when the squid interception was enabled. So there is definitely some amount of traffic bypass here at least as I understand the term. If Squid is not inspecting it, and the rules don't allow it, to me this means it shouldn't get through. But right now it does. This seems unsafe even if there's no IPv6 support in the package.
#4 Updated by Kill Bill over 3 years ago
Squid's own capabilities mean nothing here. You need support in the underlying OS to work with. Even if I made all the GUI IPv6 aware, letting Squid bind to IPv6 and accepting IPv6 input everywhere, it wouldn't work as requested, plus additionally would break the firewall ruleset. Obvious when you read the package code.