Thank you Bill, I will try it over the weekend.

I fixed the problem noted here in this package (was brought to my attention by a support customer), so the above manual edit is no longer necessary.

No, I want to bypass Squid entirely for certain trusted sites, ie banking and Microsoft.  Also have to bypass SSL filtering for email and IM so the client will connect properly.  Otherwise you the user/app gets a cert error (since it's MIM SSL).

After researching this a bit more I see it's not possible on the Squid/Squidguard side.  Squid is capturing the initial Connect of the SSL session and therefore can't bypass it.  It must be done at the firewall redirect level.

Any chance a more robust alias option is in the works?  Something that could pull categories for bypass like Squidguard does to block?  Have no idea what loading 100k entries into a firewall rule does…

Thoughts?

Everything looks fine after the deletion.
Will try to re-install ntop and see.

Is it OK to choose all the interfaces during the configuration?

So you went away from this.  How did you configure the bridge? Any details?  This is new to me. Thanks.

Well it was pretty easy - I had to check "Do not use the DNS Forwarder as a DNS server for the firewall" on the General Setup page.  Restarted Squid and with just the ? at the end of the redirect URL it works fine.

Hola Bellera , tengo todo igual que en las capturas que me indicas y no me registra en los logs

Fixed it myself by adding a new list in pfBlocker like this:

Create a new list in pfBlocker with the exact same name as the orphan table (see under Diagnostics -> Table).
Filled in an existing url and 1 hour update, deny inbound
Waited until the table was full in Diagnostics -> Tables
Went back to pfBlocker
Selected the newly created list and selected "Disabled"
Checked in Diagnostics -> Tables (table has been deleted!)
Finally deleted the list in pfBlocker.
And now the orphaned table is gone!  ;D

In theory, Dansguardian is capable of doing what you suggest. There is an option in the group settings to enable it. From what I could find on the forums, this feature is not working on Dansguardian. Marcelloc would know for sure. It is working with squid3-dev, so you can do basic blocking and caching with that.

With haproxy you should be able to put the lines below in a 'advanced' section:

I think that will take care of the rewriting.. However i think the rewriting of the host is actually not a nice thing to do, i think its better to configure a virtual directory which checks the proper domain name on the webserver.

Also read about this in the manual: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-reqrep

Hi nublaii,

That haproxy doesnt 'respond' to service-stop service-start requests seems to be 'by design'.. This because the restarting of haproxy is not a combination of 'stop' and 'start', but haproxy does a pretty much seamless restart while transferring persistence information and finishing old connections through the old process.

However when you apply a new good configuration the process should restart with a new PID.
Could try and see if you use the haproxy-devel package you get that same behavior?

I've done quite a bit of modifications to that -devel package, also in the startup / config-checking. It can be if you configured something 'wrong' that haproxy doesnt start a new process and keeps the old one running..

If you've got the same problems there maybe i can help getting it diagnosed /fixed.

Greets PiBa-NL

Thank you Jim and Bill.

@mallison01:

ok sounds good, thanks.

if you need some one to test your new code id be interested.

Thank for the offer, but I was able to test the fix in my VMware environment.  The fix for auto-log rotation is ready and should be posted in a few days.  I found several issues in that old code.  Thank you for pointing out the problem.  I'm glad I looked… :)

Bill

Thanks for reply.

I think I found what was the problem.

While making lists and groups I was saving lists and groups individually, but did not use "global" Save button.

Seems like it's working now.

All the best.

Well whether the problem I had was real or not. I happened to try out binding to the Lan (instead of wan) for my snort interface. And I had the results I expected with blocked ip's staying blocked. I set it to "both" for direction. That seemed to fix it.

Only problem is snort cannot perform a portscan from this side of the network (lan). So I created two with this one on wan as a  rule-less snort interface (with portscan enabled). Which seemed to work. But annoying to see it warn me about no rules on the interface. And I probably have redundant preprocessing now.

So not sure why I had the problem originally, but there is a solution in case anybody has had problems.

Hopefully one day snort for pfsense will create the block list as a simple "Alias" table. Then snort2C wont be needed. And if Snort could be part of the rules chain order. (instead of first) Then the Whitelist inside of snort won't be needed either. Along with speeding it up since it will not process ip's destined to be blocked by the rule chain ahead of it. including ip's it has previously blocked.

go to -=> Proxy server: General settings - Bypass proxy for these source IPs - insert you ip (192.168.0.x