hashalo.blogg.se

This, from the side of the end user, works beautifully. But to get user based rules with the transparent proxy (thinking captive portal), there would need to be a added system to match logged in users and their IP addresses to user-specific ACL's and apply them while also ensuring old unused IP's are discarded. It integrates really nicely with Shallalist and has components for time-based ACLs, and even user-based ACL's. Regardless, SquidGuard does give a lot of hope to the problem. In addition, there's the ethical grey area of getting subordinate root certificates through a trusted CA (I'm looking at you TrustWave….) Similarly, there may again be the requirement of configuring per device as the certificates must be verified, etc. The problem with transparent proxies? We have to implement a MitM SSL Bump to filter any sort of HTTPS traffic and that could be costly. WPAD, when used, isn't a guaranteed solution. Squid+SquidGuard does amazing when it's explicit, but that requires setup on all the user devices. No more trading ease-of-use for complicated initial configurations.įirstly, it's not to say that there aren't close alternatives or derivatives. Giving administrators the power to control who views what, when, and how. Implemented, we'd have a comprehensive, no-fuss web filter.

Now you can imagine: an Internet Access Schedule that equates to a more "professional" parental-control model rules based on subnet and/or user accounts themselves. Even more, squidguard has a pretty well-functioning time function, so we could probably get that implemented as well. So, why not extend this to be applied on a basis of users if need be? New lists defined for each user that would give us user-based web filtering in addition to the "baseline" level associated with each subnet/interface. As we all know, even the slightest bit of configuration is over the heads of many, and we want something that works across all devices without any problems.īut, could it go further? With the captive portal, it's possible to associate user names with device IP addresses. But, the user doesn't have to go through the painful process of manually configuring a proxy or jumping through any other hoops. The guest network could have increased restrictions compared to the private network, etc.

The device is now configured so that the internet traffic of each network is filtered based on selected categories and is independent of one another. The network is separated into different subnets think private and guest. We have a pfsense acting as a firewall/router(Wireless even) on a given network. Judging from the requests of other pfsense users and some digging around the forum, there's obviously need for such a feature. Note the $$$ mark is just a base contribution to grab some traction.