Wednesday, July 05, 2006

PfSense

I finally made the switch from m0n0wall to PfSense today. It all went well (PfSense can import the m0n0wall config file directly), except for one thing: After the switch, I didn't have any audio when calling through one of my VoIP provider. I fixed the problem by enabling advanced outbound NAT, and enabling the static port feature for the default rule. I needed that because PF, the packet filter used in PfSense, scrambles automaticallly the source port for more security, but VoIP needs it to be the same port to know what session it is part of. Next step is to enable it only for my Asterisk server and my Vonage ATA, instead of my whole lan.


In the end, PfSense is worth the try. I think the VoIP traffic shaping is still not perfect, but it'll probably be fixed before it is released as stable (it is now RC1). Feel free to share your experiences with firewalls :).

Labels: , , ,

SquidGuard

Hi,

I played with SquidGuard in the past few days to control what users can access on the net and when. Is it quite a great package, as it did what I needed to do. That is basically how it works:

  • You can define Time Spaces
  • You can define source groups (hosts or networks, or IP addresses ranges, or users)
  • You can define destination groups (domains, urls, regex)
  • Finally, you define acls with all those parameters
  • You can add blacklists to the mix
I have recommendations for people who would like to try squidguard:

  • Don't forget that SquidGuard is a redirector, if you don't configure a redirect URL, it will do not block anything
  • Check all the logs
  • You need to know that when SquidGuard encounters a problem (config or else), it goes into emergency mode, in with it does nothing (nothing is blocked)
  • I suggest you avoid using the webmin module. I can't tell it is 100% sure you'll have trouble with it, but I lost many hours because of it. If I can find some time eventually, I'll report more on what problems I've met. Feel free to post comments on your experiences with proxies...

Labels: , ,