[ previous ] [ next ] [ threads ]
 
 From:  lola <lola at yais dot net>
 To:  Monowall DEV <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  m0n0 <-> proxy suggestion
 Date:  Fri, 21 Oct 2005 16:18:01 +0200
hi all,


there have been many discussions about proxy support on the list. but afaik
there is no easy "plug and play" solution yet. i agree in having a seperate
proxy box rather than implementing squid into m0n0wall. so here is my
suggestion:

1. build a m0n0wall-like transparent proxy based on m0n0bsd using squid. of
course having a simple web frontend like m0n0wall. (thats the easy part)

2. in m0n0wall have a option "enable proxy". this would basicly alter the
dhcp server config and set the proxy ip as default gateway.

this means the default getaway for all clients on lan is the proxy. http
traffic is filtered, other traffic is forwarded to m0n0wall. thats the
downside of my idea: all traffic has to go through the proxy first. but i
think its the easiest way to enable proxy support in m0n0wall.


plattforms/versions:

a proxy needs much more performance than a gateway. thats the reason many on
the list dont want squid on embbeded boards (wrap, soekris). but why dont we
let the user decide what hardware to use? i'm pretty sure a proxy running on
a wrap board with a small (10 or 20 mb) cache stored on a mfs will do basic
access control and simple filtering such as domain blacklisting. who wants
to run a big proxy simply uses generic pc hardware with lots of memory and
fast hard drives. therefore i suggest having the same images as we have with
m0n0wall: generic (cache stored on hdd), embedded (only basic functionality)
and cdrom (cache stored on mfs, requires a lot of memory).


features:

as internet bandwidth isnt the main concern these days i think the core
function of the proxy should be access control and content filtering. im
running an internet cafe in germany and i can tell you filtering porn on 20
or more computers is either a pain in the ass or really expensive.
"m0n0proxy" should have a self updating blacklist system (don't know how to
do that yet).


thats my idea. what do you guys think? anybody with me or am i alone on this
one?

--

Thomas Lohner