Squid gone now what
-
Maybe run OpenSense on your equipment that way you get proxy use back. That firewall has https web proxy software, plus it's a fork of PfSense. QUIC https3 DoH, DNS based filtering has a number of issues also.
Or have an external Proxy server that runs Squid still, Squid's next update is in 2025.
-
Though they are also running Squid and even the latest version still has known security issues.
-
@stephenw10
correct on this. There is no where to run metaphorically speaking. I’d imagine the opnsense dev team will make the choice to drop the package as well.
Enterprise security vendors I’d imagine also run some version of squid but they are a black box and highly customized so they may not have the same concerns.
That being the case if you really want some forward proxy in your setup you have to look at proprietary security vendor appliances but those have a much higher TCO. -
As I see it, pfblockerNG is almost there.
You can block everything you want, what lacks for me is the possibility to have different policies for different groups.It would be nice to see an implementation such as you could associate users IP addresses with different block lists/groups.
That would be perfect, but I don't know if that is feasible taking in consideration the coding behind it.
dead on arrival, nowhere to be found.
-
I purchased my SG-2100 to learn about Proxy use with SSL intercept and certificates. It took for ever, from 2019 on to get it to work correctly. I actually paid for this with us dollars. Unreal, it was advertised as a fictional item had so many issues. I have the air let out of my tires right now. I paided for this. Unreal. Some users downloaded this stuff for free, I am a paid user, that had all these issues from the get go and now the packages are depreciated after it started working correctly. It's sad. DNS versions don't work, they bypass the DNS with DoH or https3 dns. It has many issues too.
Just frustrated.
It's alright it was for educational purposes. And I learned a lot about proxies. Thank you for all you do. -
@JonathanLee
I understand your frustration completely.
I would've preferred a drop-in replacement if available.
Its still being advertised weirdly enough - https://www.netgate.com/pfsense-plus-applications/content-filteringThis does effectively removes the ability to provide any per-user filtering on the platform null. If you really need it (and there are plenty of valid reasons to need it) you will need to explore other vendors.
-
Good feedback here:
https://forum.opnsense.org/index.php?topic=36914.msg180743#msg180743IMO, this is a better way of handling the Squid vuln issue. Still make it available but provide clear and proper warning during install.
There are still many valid use cases for Squid when running a network. How do i know? Because its still being advertised on Netgates site - https://www.netgate.com/pfsense-plus-applications/content-filteringSo for all the reasons listed on the website is all the reasons Squid should be made available in the repo.
Just provide proper notice when installing it and also issue a warning banner similar to what the ISC to KEA warning banner is doing.Firewall: NetGate,Palo Alto-VM,Juniper SRX
Routing: Juniper, Arista, Cisco
Switching: Juniper, Arista, Cisco
Wireless: Unifi, Aruba IAP
JNCIP,CCNP Enterprise -
@mcury Yes. That should be possible using views in Unbound
Though I'm not sure what implications that might have for memory use etc. -
@michmoor YES!!! Clear warning to end users and still have available PLEASE!!!!
-
@JonathanLee said in Squid gone now what:
DNS versions don't work, they bypass the DNS with DoH or https3 dns
Long/detailed doc on how to block those:
https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf
from:
https://jpgpi250.github.io/piholemanual/
