After playing with it some more, I determined that the only extra rules I need are: always_direct deny all never_direct allow all After doing this, when the upstream M86 / R3000 content filter proxy blocks access to a site, trying to get to it through squid using https just results in a blank page in Firefox, or "can't display the webpage" for IE, which is what I am expecting. All pfsense firewall rules can be removed other than a single one: LAN block any address/port to any WAN address/port. This rule blocks all direct Internet access by clients, but does not prevent squid itself on pfSense from being able to access the external parent proxy on the WAN side. It must have both always_direct and never_direct in there. With only the "never_direct allow all" and not "always_direct deny all", the local squid still retrieves content directly, if the upstream content filtering parent deliberately "misses/denies" 10 retrieval attempts in a row. , (For googlers of this issue, the actual spelling in the log files is "temporary", not "temporarily" .... which looks like a spelling error to me..) "Temporary disabling (Not Found) digest from" "Temporary disabling (...) digest" ,
