Layer7

clarknova

@Steve:

Nice, thanks, but would you know of any decent "tutorials" on how to work with squid? Or should I stick to what's available on their site?

You might try this one. It's not really in-depth, as I recall, and he's running it on Linux rather than pfsense, but it's the only thing I know of off hand.

http://www.anandtech.com/show/3715/family-proxy

jimp

@Steve:

Nice, thanks, but would you know of any decent "tutorials" on how to work with squid? Or should I stick to what's available on their site?

There is a lot of info here on the forum, and also on the doc wiki:
http://doc.pfsense.org/index.php/Setup_Squid_as_a_Transparent_Proxy
http://doc.pfsense.org/index.php/SquidGuard_package

But they don't cover doing what you are asking originally

@Steve:

Also, a question that is begging to be answered now is whether anyone knows if PFsense 2.0 is coming out with an answer to my predicament in its release build?

What you want to do, route traffic based on hostname, is best accomplished by a lightweight reverse proxy of some kind, not necessarily squid. There are packages for haproxy, mod_security, and varnish, I believe they can all do this.

Supermule

Layer7 is application layer….not only for routing, but defending of unwanted traffic and hacking....That is why it is so effective!

eri--

That is why it is so effective!

I do not agree with you but hey anybody buys what fits him.

Supermule

That was a very informative post…:(

Could you give examples of WHY NOT?

@ermal:

That is why it is so effective!

I do not agree with you but hey anybody buys what fits him.

Steve Mustafa

@Steve:

Also, a question that is begging to be answered now is whether anyone knows if PFsense 2.0 is coming out with an answer to my predicament in its release build?

What you want to do, route traffic based on hostname, is best accomplished by a lightweight reverse proxy of some kind, not necessarily squid. There are packages for haproxy, mod_security, and varnish, I believe they can all do this.

Which in a roundabout way says that PFsense will not be implementing something like this, right? : ;)

Well, I've decided to take a second swing at squid since I don't want to mess up the system by installing something else from the command line.  Call me a scaredy-cat.

Off topic:
Excellent job on the guide. Its sitting right in front of me on the desk :)

Supermule

True L7 is what could make pFSense into a full blown firewall…..

Steve Mustafa

Here's hoping because I really hate ISA.

Supermule

ISA is one of the best security gateways around. But its a pain to setup and master…..because it is so advanced. But if you have set it up correctly, you would eliminate MSN bots, spyware and viruses coming in via the application layer...Because it goes thorugh the packet coming in, instead of just routing it. PF acts as a frontend for me, with several ISA's running behind handling different sorts of traffic. Web is one ISA, mail is another....asf. Very effective and it minimizes the attacksurface and downtime.

Steve Mustafa

No arguing how good ISA is, I just hate it.

Supermule

I know what you mean :o

Steve Mustafa

OK,  I'm back [queue ta da].

I've been bashing my head on this for too long.

I've setup ISA, now how the heck does it get configured as a reverse proxy without being a firewall? Also, how the heck do I forward queries from PFsense to ISA for all traffic coming in from the WAN?

I thank you for putting up with me!

Supermule

You just NAT to the WAN interface of ISA from the LAN side of pfsense…...

Regarding the reverse proxy...let it use the firewall capability of ISA to handle L7 traffic to and from the reverse proxy. Thereby you dont get any unwanted traffic in to the servers.

Steve Mustafa

So the network would end up like so:

LAN
WAN –----- PFsense -------- ISA ------- Subnet

But in this case, how am I supposed to route to the DMZ?  My network is like so:

Subnet
                      |
                      | (Wireless)
                      |
                      |          LAN
WAN ------- PFsense -------- ISA ------- Subnet
                      |
                      | DMZ
                      |
                    Subnet

Supermule

Give ISA an extra interface called DMZ and route the traffic through ISA instead. :)

Steve Mustafa

I really hate ISA…

Supermule

I did to….until I got to know it. It is difficult, but a fantastic tool!

PFSense would be a firewall to be deployed in many a company, if they got L7 implemented in an intuitive way.

Steve Mustafa

Well, yeah, though I'd say "L7 implemented".

It got me thinking, because I've seen quite a number of posts about this issue on the forums, it might be worthwhile writing an app that does L7 routing/reverse proxy for PFsense when I finish the current contract and have some free time on my hands.

Or perhaps a packaging of Pound.

Steve Mustafa

On another note, doesn't PFsense use Lighttpd?  Couldn't we use that as a reverse proxy? I'm certain we'd need to move the web configurator to another port, but wouldn't it work?

Also, since portsnap is not installed in pfsense, how can you install something like nginx? I could use that or pound or whatever.

The reason I ask is because I don't think I can re-setup my network with ISA on its own station or VM, the servers are hard pressed for resources.  If I absolutely must, then I think I can have a lightweight *nix VM with nginx for that, but if I can do it on the PFsense box, then that would be ideal.

Supermule

I run the ISA in an VMWare loadbalanced cluster with DRS and HA. Works flawlessly and currently using 124m hz of cpu and 760mb ram….

So it is not hard on ressources.