On Fri 05 Jun 2015 13:44:05 NZST +1200, C. Falconer wrote: > Have you considered moving squid to the pfsense box, which satisfies > a suggested workaround "ensure that NAT is performed on the same box > as Squid"
[Late, sorry] I have been playing around with that, for the purpose of *outgoing* filtering (squidguard). It basically works out of the box, captive on http but not https. You'll want squid 3.4+ for https filtering. As everything is becoming https this is going to be the new normal. You don't need to break the ssl connection by setting squid up as MITM (although it is capable of doing that, pfsense even has it in its BUI), you can set squidguard on the CONNECT host name. Only the host name though, squidguard URLs are ignored / don't match on https then. Ensure you use the latest pfsense, all others are insecure. Squid and squidguard on pfsense are trivial to get going. Unfortunately the BUI for both is IMHO fairly bad. You may hack into the pfsense php (easy) for config tuning. I am not at all impressed that pfsense switches to "allow all" when squid or squidguard go down (not so difficult with bad configs)! Also, running a service like squid on your firewall is not really the done thing. It does run on a PCEngines APU board nicely, but be wary of SSDs for the squid cache... Squid is also active for the wifi AP connected to the pfsense box externally. HTH, Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. _______________________________________________ Linux-users mailing list [email protected] http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
