Squid future questions

JonathanLee

Hello fellow Netgate community members,

If one wants to continue to use Squid with knowledge of the vulnerabilities is there still a way to do that in the future, or should we stop upgrading our PfSense firewall to continue to have Squid on the system?

I am sad as I purchased this equipment for use with Squid. It seemed to have a lot of issues all along and now it works great, but it's also being depreciated. Again the amount of time I spent working on this was a lot. I am to invested in Squid to give up on it.

periko

@JonathanLee I'm with u budy.

The only way we can block users accesing domains and have a good ACL under Pfsense is Squid.

A lot of people say, use PfblockerNG, I use this great package but still doesn't have all the ACL options Squid+SG has.

I know that is important the security of the base system but this one of the features a lot user search for, how to protect the network from accesing a web site, can I allow this person to that and not this, ect, etc. Only Squid does.

Can I see reports about users surfing the web? Yes Lightsquid.

Can I see the same report from PfblockerNG...No.

Comercial products have some great tools for this, but this is a feature a like most from pfsense I have used for years.

I know that is not in your hands netgate, but u can see that a lo of your base users search for this tool, If pfblockerng can do it great, but I know that is not possible to let me apply all the filters that squid+SG does. I love pfblockerng but is limited.

Hope u have in your plans pfsense(netgate) to add other web proxy for pfsense, is a Unix type and is the best OS to running this type of security tools to protec companies from outside and inside from not abusing this resource, the internet.

A old pfsense users since 1.2...

Bismarck

@periko

There was/is a unofficial addon E2guardian Web filtering, dunno if its still compatible with newer versions of pfSense.

http://e2guardian.org/

https://github.com/marcelloc/Unofficial-pfSense-packages/tree/master/pkg-e2guardian5

Maybe this could be an alternative option for web filtering.

periko

@Bismarck the questions is , does that Unofficial product have vulnerabilities?

I had try e2guardian, but is very slow the support group in my experience.

Don't know is tomorrow netgate will say remove the package because we don't support that package.

Is the only one I see capable to replace Squid, thanks for the input.

slu

@JonathanLee said in Squid future questions:

If one wants to continue to use Squid with knowledge of the vulnerabilities is there still a way to do that in the future, or should we stop upgrading our PfSense firewall to continue to have Squid on the system?

https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software

jimp

You have lots of choices:

• Continue using the old insecure version leaving yourself open to vulnerabilities both known and unknown which will only get worse over time.
• Migrate away from squid entirely to other means of blocking (e.g. pfBlockerNG and/or external utilities like PiHole)
• Setup another system internally with squid that isn't on your firewall to be the proxy and forward/configure traffic to go there before exiting. This could be another dedicated hardware box, a virtual machine, docker container, etc. But it should be something running a more up-to-date/secure proxy than squid if possible. -- Note that while you could use a separate pfSense VM for this, that doesn't address the security problems in squid itself

The proxy setup is mostly automated in pfSense and so on but you can get the same effect with some manual NAT rules configured to use some other proxy elsewhere on your network (ideally in a DMZ).

JonathanLee

@jimp Thanks, I am aculally in the process of migrating to OpenSense for better proxy support. Thinking about it, I am on the fence right now.

"Setup another system internally with squid that isn't on your firewall to be the proxy and forward/configure traffic to go there before exiting. This could be another dedicated hardware box, a virtual machine, docker container, etc. But it should be something running a more up-to-date/secure proxy than squid if possible. -- Note that while you could use a separate pfSense VM for this, that doesn't address the security problems in squid itself"

This is a great Idea I thought of this also, but what kind of hardware would one need? Could it be as simple as a raspberry pi for a small home network?

michmoor

@JonathanLee

lol

not laughing at you..just laughing at the flow of the conversation.

All jokes aside - the OPNsense team may in the long run drop support for Squid. They are still weighing their options based on what ive read in the forums.

JonathanLee

look at pfblockings list of issues also ....

jimp

@JonathanLee said in Squid future questions:

This is a great Idea I thought of this also, but what kind of hardware would one need? Could it be as simple as a raspberry pi for a small home network?

Depending on your upstream link speed, a Pi may be sufficient, but it's hard to say for certain. No matter what you setup it should be running with a decent size SSD, not flash media, which would require extra hardware on a Pi (like an SSD hat or similar).

You can get a cheap mini PC for <200 with an SSD and a decent amount of RAM (8-16GB+), toss a linux distro on there (or something like proxmox) and have more than enough power for a small proxy. That's probably even cheaper than a current gen Pi with an SSD.

michmoor

@jimp
Other than Squid, any other proxies you can recommend? I got spoiled by pfsense and using a GUI to set up squid. No cli is needed.

JonathanLee

@michmoor me too pfSense spoiled me rotten with Squid :)

jimp

@michmoor said in Squid future questions:

@jimp
Other than Squid, any other proxies you can recommend? I got spoiled by pfsense and using a GUI to set up squid. No cli is needed.

I haven't kept up with that space. Forward proxies have been dead/dying for so long I stopped paying attention. I'm not sure anything else open source is near squid in that market. There may be something else out there that's similar or forked and more up-to-date.

periko

@jimp hi, one of the things I love about pfsense is the web filter.
I know that the security is first.
But If a customer request a way to control internet access is a web proxy wit pfsense.
Pfblockerng is a great that but cannot compete vs squid+SG ACL, maybe is possible is hard to setup and mantain, I like pfblockerng and is my 2nd filter.
Now, if I say to my customer, you know, we need to buy 2 boxes, 1 for pfsense and the 2nd for pihole...u know the answer.

Does pfsense have a plan to have web filter different than squid?

Thanks.

JonathanLee

Me I was a student who could never have afforded the ability to purchase the big tech version of Squid to learn proxies and web caches with. After many configuration changes, updates and many posts on the forum to get help from the Netgate community my Squid works and, it works perfectly. I learned alot about Proxy use from this as a student. I hope and please ask that Netgate provide a legacy support option for users that paided for official Netgate hardware. Users like me that already installed and use Squid. Maybe add a clear warning that were on our own. Per Squid's website they update every two years, I am sure you know. So it will be fixed in 2025. Most of the bugs are not on the version Netgate uses also. I really like using it, it just works. Again it's advanced to configure. My family hated me for all the changes from 2019 until today. Every device I installed certificates in my house has a warning on them that a root authority is installed. The devices even warn about it. Side note: We learned about pfSense in class with firewall labs. I have learned much.

JonathanLee

Looks like Squid's website just released version 6.5 on Nov 4th 2023

That was 10 days ago. . .

I am confused as it was said it was not updated in 2 years. . .

Was updated again Nov 6 2023

Also many security issues have been resolved per the GitHub.

I am thinking install it on a raspberry pi 5 8gb and NAT to it from the firewall