[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Jason Crowley <jcrowley at kc dot rr dot com>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] Web Proxy Service for m0n0wall
 Date:  Tue, 18 May 2004 17:14:53 +0200
Hi Jason,

On 17.05.2004 17:32 -0500, Jason Crowley wrote:

> I've been working on adding a web proxy service to m0n0wall for
> access control and logging purposes.  This service is an integral

Nice work, congratulations!

> part of many firewall packages, and I think it would be a good
> addition to m0n0wall. I currently have a rough build of the service
> running on version 1.0.  I want to get some feedback from you all,
> especially Manuel.  Do you think this would be a valueable addition
> to the m0n0wall package?  Should I continue to build it as a part
> of m0n0wall or should I attempt to make it a separate loadable
> module.  Of course it would be much easier for me to build it as
> part of m0n0wall.  Thanks!

Make it a module. While I realize that you and many others on the
list think that it's a good thing to have in m0n0wall, I see it
differently. m0n0wall has been designed to be a packet filtering
firewall. I really think that people who need that kind of control
should be using a real, dedicated PC (perhaps with FreeBSD), and not
a stripped-down distribution that is geared towards embedded PCs that
lack the horsepower to do proxying anyway. Those who only want
authentication can use the captive portal (once it supports RADIUS)
as a better (multi-protocol, transparent) solution.

For these reasons I'm not going to include user-level proxying in the
official version of m0n0wall. I hope you'll understand.

Transparent redirection to another proxy host is something I've
wanted to implement for awhile, but it's not as easy as it seems
(especially when the redirection doesn't take place on the same
machine as where the proxy software is installed), as you somehow
need to let the proxy know which IP address the connection was
initially directed to, and there doesn't seem to be a standardized
way of doing this.