OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: kyferez on November 28, 2018, 11:38:46 pm
-
1) For the SSL Nobump sites list, if you have a deployment of any size, this list can quickly become un-manageable with the current implementation the site list. I would like to see something like the firewall Aliases for these where I can create multiple Groups with lists of sites not to bump. For example, I would create a list of Banks, UserApplications, InternalSites, etc.
2) For the SSL Nobump, as well as the Groups suggested above, allow import/export of the list, with sites separated by a newline for the import/export.
3) I would also like to request No-Proxy settings for specific SourceIPs or DestinationIPs or URLs. For example, say I want a site not to be proxied, or a host server not to be proxied, or a destination IP range not to be proxied. Currently this is difficult and must be managed by creating NAT rules which have limitations and don't cover all 3 options above. These would also need a per-Subnet/Interface setting, with the ability to select multiple Subnets/Interfaces.
4) Separate NoBump lists for separate source Subnets/Interfaces which are using the proxy, or alternatively support multiple proxy processes so we can have fully separate proxy configurations for each Subnet/Interface.
Note that #1 is by far the more pressing need.
Thanks!
-
ATM it only works best when you have a large text file managing all domains separated by comma so you can just paste it. Regarding "no-proxy" you'd need a nat exception not to push it to proxy.
-
ATM it only works best when you have a large text file managing all domains separated by comma so you can just paste it.
Thanks, I guess I can make do with that method for now. I'd still like to see my enh for groups for organization reasons though. But that brings up another issue I had forgotten about: Different NoBump lists for different source Subnets/VLANs. There is no option to accomplish this, so I added it to my original post.
Regarding "no-proxy" you'd need a nat exception not to push it to proxy.
Yes, I am using a No RDR (aka Do not Nat) rule for now to prevent Nat of the specific device/destination, but as I don't allow anything to Internet by default on my 4 server and DMZ VLANs, it actually requires a minimum of 2 rules: 1 for No RDR and 1 for firewall allow (No RDR doesn't have the option for auto-FW rule). Then for Destinations I want to prevent Proxy on for multiple VLANs, it requires a No RDR rule for each VLAN.
So it gets very messy very fast, so you can see why it would be far better to have it managed in one location with one setting. Less mess equates to better security because there's far less likelihood for it to get done wrong when removing or changing things.