Squid gone now what
-
Hello everyone,
Just curious as to what everyones alternative application or way of doing things will be now that Squid is deprecated within pfSense.
I think it's a great thing and was a great learning opportunity when I was starting out trying to understand this whole MITM thing. Fun rabbit hole i went down.So what's the best way of doing content inspection now? How do we now do selective control of website access for users?
Overall, really good thing this is happening just sad to see one of my favorite projects die
-
@michmoor Huh, don't use it so hadn't see that message.
This may not be what you're looking for but in the spirit of brainstorming, some options might be:
- endpoint security via HTTPS inspection or URL blocking (we use Bitdefender for our MSP clients)
- DNS based blocking (various services on endpoints, or pfBlockerNG, or "anti-malware" or "family friendly" DNS, or DNS overrides, and block DoH/DoT)
- for kids, parental controls (e.g. Edge on Windows, iOS)
-
@SteveITS
Yep.
For the majority of our clients we use Sophos endpoint.
I was thinking more for home lab/personal use. pfSense Squid was great as it acted on the whole network instead of an individual machine basis.
My only problem with DNS Blocklist is hunting for a good blocklist and applying it on a per user/vlan basis.But yeah this post is more for brainstorming. Im all open for ideas. Squid was really flexible when i needed something done for a specific group of users.
-
Mmm, DNS blocking has worked well for me for some years now. Squid has almost always been more trouble than it's worth IMO.
-
@michmoor You could probably NAT some clients to specific DNS servers. Like this but out to Quad9 or whatever, or vice versa:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html -
@stephenw10 said in Squid gone now what:
DNS blocking has worked well for me for some years now.
Whats your strategy of doing per-user or per-vlan dns blocking? A common scenario i see on Reddit are people who want to do filtering on a Kids_VLAN.
@SteveITS said in Squid gone now what:
You could probably NAT some clients to specific DNS servers
Thats actually a really good idea Steve, i cant believe i didnt think about it. Certain devices could get redirected to a DNS server of my choice.....Huh..why am i now thinking of interesting possibilities here? hehe
-
@stephenw10 said in Squid gone now what:
Squid has almost always been more trouble than it's worth IMO.
You're not a fan of websites that stopped working and browser updates breaking proxy configs? Those were fun.
I shall miss them..... -
Maybe run OpenSense on your equipment that way you get proxy use back. That firewall has https web proxy software, plus it's a fork of PfSense. QUIC https3 DoH, DNS based filtering has a number of issues also.
Or have an external Proxy server that runs Squid still, Squid's next update is in 2025.
-
Though they are also running Squid and even the latest version still has known security issues.
-
@stephenw10
correct on this. There is no where to run metaphorically speaking. Iโd imagine the opnsense dev team will make the choice to drop the package as well.
Enterprise security vendors Iโd imagine also run some version of squid but they are a black box and highly customized so they may not have the same concerns.
That being the case if you really want some forward proxy in your setup you have to look at proprietary security vendor appliances but those have a much higher TCO. -
As I see it, pfblockerNG is almost there.
You can block everything you want, what lacks for me is the possibility to have different policies for different groups.It would be nice to see an implementation such as you could associate users IP addresses with different block lists/groups.
That would be perfect, but I don't know if that is feasible taking in consideration the coding behind it.
dead on arrival, nowhere to be found.
-
I purchased my SG-2100 to learn about Proxy use with SSL intercept and certificates. It took for ever, from 2019 on to get it to work correctly. I actually paid for this with us dollars. Unreal, it was advertised as a fictional item had so many issues. I have the air let out of my tires right now. I paided for this. Unreal. Some users downloaded this stuff for free, I am a paid user, that had all these issues from the get go and now the packages are depreciated after it started working correctly. It's sad. DNS versions don't work, they bypass the DNS with DoH or https3 dns. It has many issues too.
Just frustrated.
It's alright it was for educational purposes. And I learned a lot about proxies. Thank you for all you do. -
@JonathanLee
I understand your frustration completely.
I would've preferred a drop-in replacement if available.
Its still being advertised weirdly enough - https://www.netgate.com/pfsense-plus-applications/content-filteringThis does effectively removes the ability to provide any per-user filtering on the platform null. If you really need it (and there are plenty of valid reasons to need it) you will need to explore other vendors.
-
Good feedback here:
https://forum.opnsense.org/index.php?topic=36914.msg180743#msg180743IMO, this is a better way of handling the Squid vuln issue. Still make it available but provide clear and proper warning during install.
There are still many valid use cases for Squid when running a network. How do i know? Because its still being advertised on Netgates site - https://www.netgate.com/pfsense-plus-applications/content-filteringSo for all the reasons listed on the website is all the reasons Squid should be made available in the repo.
Just provide proper notice when installing it and also issue a warning banner similar to what the ISC to KEA warning banner is doing.Firewall: NetGate,Palo Alto-VM,Juniper SRX
Routing: Juniper, Arista, Cisco
Switching: Juniper, Arista, Cisco
Wireless: Unifi, Aruba IAP
JNCIP,CCNP Enterprise -
@mcury Yes. That should be possible using views in Unbound
Though I'm not sure what implications that might have for memory use etc. -
@michmoor YES!!! Clear warning to end users and still have available PLEASE!!!!
-
@JonathanLee said in Squid gone now what:
DNS versions don't work, they bypass the DNS with DoH or https3 dns
Long/detailed doc on how to block those:
https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf
from:
https://jpgpi250.github.io/piholemanual/
