Squid security issues on Pfsense | Is Opnsense also affected?

[lansolo]

Hello everyone,

Netgate has announced that they will no longer support the Squid and Squidguard packages on Pfsense. I'm wondering if the Opnsense package is also affected by this or what the roadmap for the future of Squid on Opnsense looks like.

https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software

[franco]

Narrowing the scope of a project is a good thing. But security being the only reason is probably only half the truth?

If you look at our Squid integration we seldomly improve it these days as demand is declining and resources are better spent elsewhere.

We will keep updating Squid as long as releases are available, but we will likely move Squid to a plugin to live outside the core installation in 24.1.

Also keep in mind that with all of these services you get what you pay for.


Cheers,
Franco

[WhiteTiger]

We will keep updating Squid as long as releases are available, but we will likely move Squid to a plugin to live outside the core installation in 24.1.

What does this mean?
That the Proxy and Cache service will be managed in another way or that it will be abandoned?
Does it still make sense to implement them?
Since I'm configuring a firewall for a small company, there's no point in worrying if the prospect is to abandon the service.

[franco]

> What does this mean?

Sorry, it means what I said: We have plugins. Squid will be moved to a plugin.

I didn't say anything about "removing", "abandoning" or "dropping" support.


Cheers,
Franco

[WhiteTiger]

> What does this mean?

Sorry, it means what I said: We have plugins. Squid will be moved to a plugin.

I didn't say anything about "removing", "abandoning" or "dropping" support.

If you already plan to move Squid between plugins, the support will not be "dropping", but it will certainly be less.
In any case, one of the advantages of OPNSense is the presence of various pre-configured and ready-to-use "engines".
With plugins we return to the need to install and configure them one by one, with all that this entails in terms of reliability.

In my opinion, the problem of alternatives already arises.

Can the content filter present in OPNSense (whatever its engine) work without Squid?
Can Clamav or other ICAP engines work equally?

If the Internet connectivity is good we can even work without cache management, but in many areas we are still faced with mediocre connectivity.
Are there any alternatives in terms of cache management?

[franco]

> but it will certainly be less

That is exactly what it is, because currently it does not reflect support reality and after changing it to a plugin in support tier 2 it will be more aligned with the status quo.


Cheers,
Franco

[WhiteTiger]

That is exactly what it is, because currently it does not reflect support reality and after changing it to a plugin in support tier 2 it will be more aligned with the status quo.

I'm sorry, maybe I explained myself badly.
I am not disputing or arguing about a reason that I find understandable.
I'm asking if alternatives are already being considered or if you can already propose some.

I'm implementing an OPNSense firewall from scratch and just yesterday asked for some information on proxy management in HTTPS.
There's no point in continuing to customize Squid if its path is already marked.
So, I keep Squid configuration to a minimum and look for its alternatives, if any exist.

[franco]

As far as forward proxies go there is no other integrated solution and that's also a reason why Squid will be kept around for likely a long time.

There is https://www.privoxy.org/ and we have had a package available for years but nobody wanted to build a plugin for it.

Not aware of another open source option, but that doesn't mean there isn't one. If Squid should decay further and updates cease to exist (like is the case with ISC DHCP and requiring the move to Kea DHCP) this can change and we will be working on it ourselves.

You can also see if something like Zenarmor fits your requirements... https://www.zenarmor.com/zenarmor-next-generation-firewall -- you can install it directly from the OPNsense GUI through the os-sunnyvalley plugin repo addition.


Cheers,
Franco

[WhiteTiger]

Thank you, I will look into your suggestions.
Frivolous question: Squid complains of being short of resources so why don't Netgate and Deciso take care of the missing patches?
Both have an interest in maintaining what is still a strategic engine, or am I wrong?

[uNijecu7]

If you look at our Squid integration we seldomly improve it these days as demand is declining and resources are better spent elsewhere.

Likely same for Netgate.

[WhiteTiger]

Why do you say demand for Squid is declining?
Without Squid, how are content checks done and how is the antivirus activated?