The Outgoing Firewall is Not Working With a Proxy

Versions 2.5, 3.0, & 5.0

Applies to platform: all
Last updated: 13 May 2014

This lessons explains why the outgoing firewall seems not to work when some service uses a transparent proxy. 

How the Proxy Works

The following picture shows what happens when retrieving a web page from a remote server with a proxy server in between, that is, with an Endian UTM Appliance running the squid proxy server.


The scenario sees an user who wants to access Google's home page. Without the presence of the http proxy, the user's computer would contact directly, on port 80, retrieve the home page, and display it.

With the proxy activated, however, whenever a connection starts from a client to the Internet, it will either be intercepted by the proxy on the Endian UTM Appliance (in transparent mode) or go directly to the firewall, but never go 'through' the firewall. The proxy then starts a new connection to the real destination, retrieves the data and sends it to the client. Those connections to the Internet always start from the Endian UTM Appliance, which hides the clients internal IP address. Therefore, such connections never go through the (outgoing) firewall, since in fact they are local connections.

The outgoing firewall indeed has the task of granting or preventing the access to remote resources from devices in the local zones (GREEN, ORANGE, BLUE). But the proxy removes all the information about the internal IP addresses and replaces them with the RED IP, so a single connection from the GREEN to the RED becomes, in fact, two connections: one from the GREEN to the GREEN, the second from the RED to the RED: there is no more a connection from the GREEN to the RED, hence the outgoing firewall is never involved!


Although this scenario is very specific, similar arguments can be applied to any device (e.g., smartphones, tablets, workstations) that connects from the GREEN, ORANGE, or BLUE zone to remote devices in the RED zone, using other services relying on proxies: in all those cases, there is no direct connection to the RED interface, but one local connection and one RED-to-RED outgoing connection.

If you want to block those kind of connections, for the HTTP Protocol only, you can add entries in the Access Policy tab, located under Menubar > Proxy > HTTP .


Have more questions? Submit a request