[ previous ] [ next ] [ threads ]
 
 From:  Kev Latimer <kev at ne23 dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Couple of feature queries *cough* proxy *cough*
 Date:  Tue, 22 Mar 2005 13:04:57 +0000
I'm prepared to be shot down in flames over these, but I would just like 
to ask anyway...

We have a number of little sites IPSeccing into our network, with just a 
couple of people at each.  One thing I need to be able to see (to make 
sure people aren't downloading programs they shouldn't, mainly dangerous 
stuff like windows service packs <g>) is detailed web usage reports, 
which requires some form of web proxy.  But wait!  I'm not going to 
suggest a program like squid, because that is (and always should) be 
outside the scope of a good firewall - I agree absolutely.  Also, a CF 
card is just not suitable for caching objects.  However, is there any 
remote possibility of including http proxying just to view the traffic, 
spitting out information to a syslog server back on our network for 
analysis by a dedicated tool?

We currently have to use a mixture of m0n0's (at sites with proper 
server boxes and therefore squid) and smoothwalls (where staff size 
dictates that such servers are not economically viable).  While the 
smoothwalls are great at their job, they need to be heavily modified 
"out of the box" to produce reliable IPSec connections and to give some 
form of SNMP and traffic shaping, which makes them a nightmare to 
maintain, and any power cuts can (and have) left a site 200 miles away 
sitting at fsck.  m0n0 could solve all of this, if it wasn't for the 
http traffic logging.

Like I said, shoot me in flames for suggesting such a thing.

And while I mention SNMP, my other request is for some way of pulling 
SNMP data over an IPSec connection without having to use the ICMP 
redirect trick?  Perhaps a way of hiding the redirection internal to 
m0n0wall?

Aside from that, m0n0 is a seriously feature complete solution that I 
like to use wherever possible.  Big thanks to Manuel and all concerned.

Cheers,

Kev