Squid TCP port always on, firewall can't mask it !

[gasp72]

Hi to all,
I have this Zentyal configuration

root@zentyal:~# dpkg -l | grep "zentyal-"
ii  zentyal-antivirus                    3.0                                     Zentyal - Antivirus
ii  zentyal-bwmonitor                    3.0.1                                   Zentyal - Bandwidth Monitor
ii  zentyal-ca                           3.0.2                                   Zentyal - Certification Authority
ii  zentyal-common                       3.0.5                                   Zentyal - Common Library
ii  zentyal-core                         3.0.10                                  Zentyal - Core
ii  zentyal-dns                          3.0.4                                   Zentyal - DNS Service
ii  zentyal-firewall                     3.0.1                                   Zentyal - Firewall
ii  zentyal-ids                          3.0.1                                   Zentyal - Intrusion Detection System
ii  zentyal-monitor                      3.0.2                                   Zentyal - Monitor
ii  zentyal-network                      3.0.1                                   Zentyal - Network Configuration
ii  zentyal-ntp                          3.0                                     Zentyal - NTP Service
ii  zentyal-objects                      3.0                                     Zentyal - Network Objects
ii  zentyal-openvpn                      3.0.2                                   Zentyal - VPN Service
ii  zentyal-remoteservices               3.0.12                                  Zentyal - Cloud Client
ii  zentyal-services                     3.0.1                                   Zentyal - Network Services
ii  zentyal-software                     3.0.3                                   Zentyal - Software Management
ii  zentyal-squid                        3.0.3                                   Zentyal - HTTP Proxy (Cache and Filter)
ii  zentyal-trafficshaping               3.0                                     Zentyal - Traffic Shaping
ii  zentyal-users                        3.0.7                                   Zentyal - Users and Groups

I need to configure the internal networks roules as any client can't access to any TCP/UDP ports and share only internet connection trought the squid modules over the TCP port 3128; if I scan from all internal network client I always see the 3128 TCP port

Starting Nmap 5.51 ( http://nmap.org ) at 2013-01-18 09:10 ora solare Europa occidentale
Nmap scan report for xxxx.xxxx.xxxx.xxxx
Host is up (0.00s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE
3128/tcp open  squid-http
MAC Address: xx:xx:xx:xx:xx:xx(Hewlett Packard)

Nmap done: 1 IP address (1 host up) scanned in 21.52 seconds

In this report is announced the squid port, but I don't want to show this ! I would filter from the firewall the squid proxy TCP port.
I have tried to specify in the firewall roules a DENY for the 3128 TCP, but it's seems to be that the squid module is before the firewall.
If I move the port to other one is the same result.
The Squid TCP port is always announced on the eth0.
I can mask the access on the squid proxy using the access filter in the HTTP Proxy -> Access rules, but I need also to mask the squid port.

There is a way to resolve this?
Best Regards

[gasp72]

no one can help me?

[Sam Graf]

It's possible that those of us who have read your post are not clear on what you're trying to achieve. It makes sense for a desktop computer to be in "stealth mode," less so for a server, since presuambly the goal is to make serives available to the network.

Blocking a port at the firewall essentially disables access to a service, I think. So, for example, if I didn't want a server port exposed on the internal netowrk, I wouldn't run that service. Outside LDAP, which the firewall does protect, I have no experience running a service that I then block.

That said, if you're setting the rule in the right place (network to Zentyal) and Zentyal is ignoring it, I would be inclined to file a bug report and let the developers comment on the design choice. Assuming that the behavior is intentional (or necessary).

[gasp72]

Ok, I'm tring to explain better.
If I enable the Squid HTTP Server is normally that the TCP port is open on the network, but if I don't want to show my SQUID port on the whole network I need to use the firewall and DENY the undesidered IP address.
If I set a correct ruole in the Packet Filter ▸ Internal networks to Zentyal and specify an IP address and DENY the SQUID (3128) TCP port, the IP Address always see the 3128 port. And I don't want it ! I'm expecting the Firewall module filter this scan.