Just to add my two cents to this discussion...
Jason Crowley wrote:
> Hello all,
> I've been working on adding a web proxy service to m0n0wall for access
> control and logging purposes. This service is an integral part of many
> firewall packages, and I think it would be a good addition to m0n0wall.
> I currently have a rough build of the service running on version 1.0. I
> want to get some feedback from you all, especially Manuel. Do you think
> this would be a valueable addition to the m0n0wall package? Should I
> continue to build it as a part of m0n0wall or should I attempt to make
> it a separate loadable module. Of course it would be much easier for me
> to build it as part of m0n0wall. Thanks!
> Image for Soekris net45xx
> One caveat: In order for the web proxy service to work, you must have a
> DNS server setup. If you don't receive DNS servers from DHCP on your
> WAN interface, you'll have to add them manually in the general setup
> I'm sure there are bugs and I know I need to do a lot on the
> documentation side. The web proxy is based on Squid
> (http://www.squid-cache.org); you can find some documentation there.
> You need to point your browser to port 3128 on your m0n0wall box to use
> the service.
> Let me know what you think.
First of all: VERY Nice work! (With the GUI at least, I've not
actually tried the image though.)
While I do agree with the "firewall only" credo (to some extent), I
still feel that this would be a nice addition to m0n0wall. Perhaps the
suggestion about making this a module/plugin (the kind Manuel recently
added support for) will be the way to go (again, to keep the purists
happy), even if I'd personally prefer this to be part of m0n0wall
itself (mainly because I'm not confident with building my own image,
which I understand is necessary to use such a "plugin").
A suggestion: I'd like the proxy to have the ability to "filter"
(and/or "replace") certain packets as well, if possible? At one time I
used a proxy that replaced images (and possibly flash and other stuff
as well?) from known ad/spam/popup domains with a 1x1 transparant gif.
A VERY nice way of limiting (if not eliminating) those annoying ads.
There might be other uses for this feature as well?
About caching: While I fully agree that using the CF for a cache is a
VERY bad idea, how about using RAM instead? As long as it can be
disabled (and/or detect and handle low-mem situations), those of us
who run m0n0wall on an old PC have plenty of RAM which might as well
be used for this purpose (I, for instance, have 256MB, simply because
I didn't have anything smaller lying around)
= = =
Now, I may be totally wrong about this, but... Wouldn't such a proxy
be able (perhaps with a few modifications/additions) to do much, if
not all, the work of the recently added captive portal feature (Or the
other way around for that matter)?
If so, perhaps it would be a good idea to try to incoorporate one into
the other, not necessarily in the GUI but rather "behind the scenes",
so as to lower the number of components used in m0n0wall! (which
should both help lowering RAM/CF usage, and increase the security.)