pfSense Gold Subscription

Author Topic: Transparent AV?  (Read 740 times)

0 Members and 1 Guest are viewing this topic.

Offline caustic386

  • Jr. Member
  • **
  • Posts: 47
    • View Profile
Transparent AV?
« on: May 18, 2012, 04:21:17 pm »
I'm interested in following the tutorial at http://www.smallnetbuilder.com/security/security-howto/31433-build-your-own-utm-with-pfsense-part-1 , minus the Antispam & CFS, and as I install the packages I notice there's constantly a reference to configuring proxy settings on the client browser. 

I'm new at this, from ISA/Forefront and Sonicwall, where client browser proxy settings were not required (and didn't seem to make a difference when you did turn them on).  What is gained or lost by not configuring web proxy on our clients?

Offline Craigusoz

  • Newbie
  • *
  • Posts: 21
    • View Profile
Re: Transparent AV?
« Reply #1 on: May 18, 2012, 04:39:35 pm »
Normally what you do is to use squid in transparent proxy mode, with HAVP as the parent of squid. No client proxy setup is required.

However, HAVP is currently broken (for me and some others, at least): http://forum.pfsense.org/index.php/topic,47576.0.html

If you use Dansguardian instead, you will probably want to look at auto proxy configuation.

I've personally abandoned virus scanning at the firewall, because I'm just not convinced that ClamAV works well enough. Individual Win clients run Avast.

I do use squidguard for filtering, with pFblocker to block tor et al, and that works well.


Offline caustic386

  • Jr. Member
  • **
  • Posts: 47
    • View Profile
Re: Transparent AV?
« Reply #2 on: May 20, 2012, 09:29:37 am »
Thanks for the tips!  I tend to agree that firewall-based AV isn't really that useful, especially with so many sites using HTTPS these days. 

I have no experience with clamAV, but our client-side ESET performs quite well, so maybe I'll leave well enough alone rather than get into Squid, etc.  (something else I have no experience with)

Thanks for the tip regarding pfBlocker, we currently use DynDNS for content filter at only $10/year, but it's DNS-based so easy to bypass for intermediate users.  This might be the answer I was looking for, though!