Squid V6.10
-
From what I can see, pfSense hasn't had any Squid packages since 6.3 in the "Available Packages" list. I completely understand the reasoning for that, I'm not by any means questioning why it hasn't been updated, especially after reading about all the vulnerabilities within the package. That said, I've been keeping an eye on Squid, their recent update from July 10th, 2024 shows the last vulnerability having been patched.
I understand that certainly has been a long time to resolve these vulnerabilities, but as mentioned in an article, there was a daunting task set before a significantly under staffed volunteer based project. Even though the article suggested the US National Security Agency (whoever they are) had "issued a paper on open source software in operational environments and urged vendor support – both financial and otherwise – for open source software development and maintenance"
Now, I wouldn't necessarily consider Squid to be a major requirement for a "good firewall" but in a household of gamers, both PC and Console, the concept of caching game updates, new games, and windows updates feels more and more like a feature of gold to me and the rest of the house. I'm hugely against any vulnerabilities, so with there being such a long list of vulnerabilities in the currently available package in the package manager with Squid 6.3, I'm not inclined to add it.
I do hope that with Squid 6.10 that netgate will reevaluate the decision, and update the package accordingly, or... to be fair I honestly do not know how the system works. I built my pfSense router/firewall, so I'm outside of the two major distributions that are mentioned in the articles about netgate removing Squid based on it's security vulnerabilities, but it appears to me that they also stopped updating the package in the available packages list. Still showing the package: "squid 0.4.46 dependencies: squidclamav-7.2 squid_radius_auth-1.10 squid-6.3 c-icap-modules-0.5.5_1 " while upon inspection most of these dependencies have been updated.
I know that I could technically manually add these packages through the console, but while I do have experience with terminal commands, in this situation I'm going to be almost dependent on tutorials and help videos. I am not willing to make a mistake and risk the network status with half a dozen gamers in the house of all ages PLUS my game servers. So yeah, that's not happening which is why I'm here now posting this.
I wish to see Squid updated, idk how that is achieved, whether netgate updates it or if the folks behind Squid have to update it. While the history of the vulnerabilities is still fresh in our memories, they are in the past now and hopefully we can move forward with this amazing feature.
TL;DR: Squid 6.10 has resolved the last of the vulnerabilities and I wish to see it updated.
Update: My version of pfSense is 2.7.2-RELEASE (amd64) if that even matters idk.
-
Update:
I have recently had an interaction that shows people are under the impression that "Deprecate" means that something will never be allowed back. This is a misuse of the word, Deprecate means something is disapproved of, and in the case of Netgate they "Disapproved of the use of Squid" due to the vast amount of vulnerabilities. That said, with all vulnerabilities patched and the correct usage of "Deprecate" I look forward to seeing V6.10 or newer of Squid becoming available again.OTHERWISE: The article needs to be updated with laymen terms or the correct words used. Where if the word intended was "Discontinued" that would be it, there would be no hope of a return, and there wouldn't be so many people waiting for the return of an approved version.
-
You said
squid 0.4.46 dependencies: squidclamav-7.2 squid_radius_auth-1.10 squid-6.3 c-icap-modules-0.5.5_1 " while upon inspection most of these dependencies have been updated.
Notice in this “squid-6.3” ??? PfSense has updated it. I am running Squid 6.6 even.
You’re looking at the php package 0.4.46 and not the dependencies. That already includes squid base 6.3 in your system. It’s fixed.
The 6.6 and version 7 (7 in development right now) in these versions the status page access has changed that is the only small bug. It’s more of a php insert updated url here type fix.I got to tell you I purchased my official Netgate appliance just for the proxy use with Squid.
-
@JonathanLee I built my pfSense box, it's fairly overkill for just about anything this house can throw at it, but does CE not get that version of Squid then?
My sincere apologies, your explanation is detailed, I just don't understand the details, or what you mean by Version 7. Is there somewhere I can perhaps force update my available packages list? or is that a premium feature only?!
Image clipped from my Package Manager > Available Packages for context:
-
Squid version 7 is still in development it’s not available to anyone. I only know by way of email list from Squid. You can enroll in them also if you want.
-
@JonathanLee I understand, but how did you get Squid 6.6? What I'm being told by a few on Reddit is that Netgate has not touched anything to do with Squid since November 2023, even though the github shows otherwise. That said my available packages still shows it as 6.3 even though the latest is 6.10, and you say you have 6.6 which only further confuses me.
Why can't it be simple cut and dry.
Negate: "We won't use this anymore, moving forward"
Me: "So then remove it and stop updating it?"
For someone to be so huge you'd think removing a package from a list would be trivial.All that aside, please tell me how you managed to get Squid 6.6 from Netgate?
-
@Nafryti have you looked at https://forum.netgate.com/post/1144255
-
@Nafryti I have to be honest I don’t want them to remove it, just leave it, it’s already been updated to fix security issues. So no reason to remove it. Squid 6.6 I have pfSense Plus, do you have that? If not I also do developer snapshots sometimes so that may also be the reason.
-
@Patch mine is directly from pfSense official freeBSD repo. I could never install the other version because I have an ARM processor
-
@JonathanLee I built my own setup, using Community Edition.
It won't let me pick anything other than "Current Stable Release (2.7.2)" in System/Update/Update System > Branch.@Patch I don't have those in the "Available Packages" list.
-
@Nafryti did you run the fetch command in the post I linked above first.
-
@Patch OH... ok, I'll give that a shot on Skunkworks and if all goes well I'll deploy it on the primary.
-
UPDATE 08/29/24:
My HyperV instance of pfSense nicknamed "Skunkworks" has stopped connecting to the internet and I have no idea why, for all intents and purposes, there should be a completely unobstructed pathway from the Modem to the VM, and yet, it just can't see the netgate update server anymore. I haven't messed with any settings since my last post and was finally going to buckle down and give this a shot and it decided it had enough of me. I'm grateful the Primary isn't screwed up any, going without internet is entirely unacceptable. Seeing how the network usage is far more than any OTC box router can handle, but not quite Enterprise grade, I'll touch back on this with a fresh installation of Skunkworks, and well after my anxiety settles down.@Patch said in Squid V6.10:
@Nafryti did you run the fetch command in the post I linked above first.
I'm assuming you either did that in the terminal access or using the Package that allows you to enter commands from the WebUI? I suppose Telnet is an option too, but that'd be at the outer extents of my ability level. Last time I tinkered with Telnet was to reprogram an old Dell Managed Switch I was playing around with, and that took some nightmarish re-wiring of a serial COM cable, still have the cable too.
-
@Nafryti said in Squid V6.10:
I'm assuming you either did that in the terminal access or using the Package that allows you to enter commands from the WebUI?
Any of
- HyperV terminal
- pfsense -> Diagnostics -> Command prompt -> command
- ssh terminal
-
@JonathanLee aren't you running the non-pfsense maintained version from @lg1980
https://forum.netgate.com/topic/186331/new-squid-6-7-and-clamav-1-3-0/7
-
@FoolCoconut No. I have an Advanced ARM processor. You remember Cirix processors?
-
Dang, the updated one fixed all the security issues but the GUI has some small issues
-
Well, I have a lot to do and sort out sometime soon, and I've been procrastinating for far too long. I still have not been able to get a new Skunkworks loaded yet, I've got to reorganize components, and then I'll be able to finally start testing again.
My wish for 6.10 to finally be reevaluated by NG hasn't changed, I haven't looked, but I know from experience how stubborn some devs can be over things.
There was and imho still is a demand for such a caching service, not everyone has a completely separate machine to cache downloads to, but when you DIY a router, with a 1TB HDD and run the OS on the RAM, then you honestly have the freedom to setup something like that, but only if there isn't any complacency.
-
Now that the Vulnerabilities are fixed Upstream, I see no reason why this Package is still deprecated. I would love to deploy it for my Customers but can't reasonably do so :(
-
@ICS_DOS Outside of the vulns found and/or fixed there is still the fact that there is no maintainer for Squid for pfsense. There is a lot wrong with the package and unless someone steps up and volunteers their time to fix all the glaring problems i see no reason why netgate would still have this package in the repo.
