Re: [m0n0wall-dev] Web Proxy Service for m0n0wall

From:	Adam Nellemann <adam at nellemann dot nu>
To:	Jason Crowley <jcrowley at kc dot rr dot com>, "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall-dev] Web Proxy Service for m0n0wall
Date:	Tue, 18 May 2004 16:38:50 +0200
Hi All,

Just to add my two cents to this discussion...

Jason Crowley wrote:

> Hello all,
> 
> I've been working on adding a web proxy service to m0n0wall for access
> control and logging purposes.  This service is an integral part of many
> firewall packages, and I think it would be a good addition to m0n0wall.
> I currently have a rough build of the service running on version 1.0.  I
> want to get some feedback from you all, especially Manuel.  Do you think
> this would be a valueable addition to the m0n0wall package?  Should I
> continue to build it as a part of m0n0wall or should I attempt to make
> it a separate loadable module.  Of course it would be much easier for me
> to build it as part of m0n0wall.  Thanks!
> 
> Screenshots:  
> http://home.kc.rr.com/innonet/services_webproxy.jpg
> http://home.kc.rr.com/innonet/services_webproxy_rules.jpg
> http://home.kc.rr.com/innonet/services_webproxy_rules_edit.jpg
> http://home.kc.rr.com/innonet/services_webproxy_acls.jpg
> http://home.kc.rr.com/innonet/services_webproxy_acls_edit.jpg
> http://home.kc.rr.com/innonet/services_webproxy_users.jpg
> http://home.kc.rr.com/innonet/services_webproxy_users_edit.jpg
> 
> Image for Soekris net45xx
> http://home.kc.rr.com/innonet/net45xx-1.0-webproxy.img
> 
> One caveat:  In order for the web proxy service to work, you must have a
> DNS server setup.  If you don't receive DNS servers from DHCP on your
> WAN interface, you'll have to add them manually in the general setup
> page.  
> 
> I'm sure there are bugs and I know I need to do a lot on the
> documentation side.  The web proxy is based on Squid
> (http://www.squid-cache.org); you can find some documentation there.
> You need to point your browser to port 3128 on your m0n0wall box to use
> the service.  
> 
> Let me know what you think.  


First of all: VERY Nice work! (With the GUI at least, I've not 
actually tried the image though.)

While I do agree with the "firewall only" credo (to some extent), I 
still feel that this would be a nice addition to m0n0wall. Perhaps the 
suggestion about making this a module/plugin (the kind Manuel recently 
added support for) will be the way to go (again, to keep the purists 
happy), even if I'd personally prefer this to be part of m0n0wall 
itself (mainly because I'm not confident with building my own image, 
which I understand is necessary to use such a "plugin").

A suggestion: I'd like the proxy to have the ability to "filter" 
(and/or "replace") certain packets as well, if possible? At one time I 
used a proxy that replaced images (and possibly flash and other stuff 
as well?) from known ad/spam/popup domains with a 1x1 transparant gif. 
A VERY nice way of limiting (if not eliminating) those annoying ads. 
There might be other uses for this feature as well?

About caching: While I fully agree that using the CF for a cache is a 
VERY bad idea, how about using RAM instead? As long as it can be 
disabled (and/or detect and handle low-mem situations), those of us 
who run m0n0wall on an old PC have plenty of RAM which might as well 
be used for this purpose (I, for instance, have 256MB, simply because 
I didn't have anything smaller lying around)

= = =

Now, I may be totally wrong about this, but... Wouldn't such a proxy 
be able (perhaps with a few modifications/additions) to do much, if 
not all, the work of the recently added captive portal feature (Or the 
other way around for that matter)?

If so, perhaps it would be a good idea to try to incoorporate one into 
the other, not necessarily in the GUI but rather "behind the scenes", 
so as to  lower the number of components used in m0n0wall! (which 
should both help lowering RAM/CF usage, and increase the security.)


Regards,

Adam.