I'm prepared to be shot down in flames over these, but I would just like
to ask anyway...
We have a number of little sites IPSeccing into our network, with just a
couple of people at each. One thing I need to be able to see (to make
sure people aren't downloading programs they shouldn't, mainly dangerous
stuff like windows service packs <g>) is detailed web usage reports,
which requires some form of web proxy. But wait! I'm not going to
suggest a program like squid, because that is (and always should) be
outside the scope of a good firewall - I agree absolutely. Also, a CF
card is just not suitable for caching objects. However, is there any
remote possibility of including http proxying just to view the traffic,
spitting out information to a syslog server back on our network for
analysis by a dedicated tool?
We currently have to use a mixture of m0n0's (at sites with proper
server boxes and therefore squid) and smoothwalls (where staff size
dictates that such servers are not economically viable). While the
smoothwalls are great at their job, they need to be heavily modified
"out of the box" to produce reliable IPSec connections and to give some
form of SNMP and traffic shaping, which makes them a nightmare to
maintain, and any power cuts can (and have) left a site 200 miles away
sitting at fsck. m0n0 could solve all of this, if it wasn't for the
http traffic logging.
Like I said, shoot me in flames for suggesting such a thing.
And while I mention SNMP, my other request is for some way of pulling
SNMP data over an IPSec connection without having to use the ICMP
redirect trick? Perhaps a way of hiding the redirection internal to
Aside from that, m0n0 is a seriously feature complete solution that I
like to use wherever possible. Big thanks to Manuel and all concerned.