Bug #901
closed
Squid "Don't filter for RFC1918" doesn't work for PPTP (patch included)
20%
Description
NOTE this bug is filed against / patch is built against 2.7.8_1 - so if this is a dupe of a fixed bug, I apologize.
Squid can't "not filter" traffic coming in via the PPTP interfaces, per the RFC1918 checklist.
I've attached a patch for squid.inc that works in my situation, but it needs a few more checks - i.e. we only want tod o this if PPTP exists, and use the correct interface alias variable as defined in the code above.
Expected Behavior: PPTP clients can connect to RFC1918 addresses 'the same as' LAN-connected users.
Actual Behavior: All PPTP clients are proxied, as the "no rdr" rules generated only apply against the 'directly attached' interfaces.
Relevant section of /tmp/rules.debug (with the line my patch adds commented out ###)
# Setup Squid proxy redirect
no rdr on bge0 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
### no rdr on $pptp proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
no rdr on bge0 proto tcp from { 192.168.1.11, 192.168.1.9, 192.168.1.92, 192.168.1.210, 192.168.1.253, 192.168.1.150, 192.168.1.160, 192.168.1.176, 192.168.1.
177, 192.168.1.178, 192.168.1.179, 192.168.1.180, 192.168.1.113 } to any port 80
rdr on bge0 proto tcp from any to !(bge0) port 80 -> 127.0.0.1 port 80
rdr on $pptp proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port 80
Files
Updated by Overand IRC-Priv over 13 years ago
Actually, one might want to simply have the "$ifaces" chunk include the pptp interface alias, to simplify this.
Updated by Ermal Luçi over 13 years ago
You can do this from theGUI on 2.0.
I will close this since it will not be fixed on 1.2.3 so near to 2.0 release.