I want to start a discussion about the pros and cons of running a SquidProxy server on the same pfSense box as the main firewall.
Today I have one pfSense doing all the firewall things, like routing and filtering (I don't use NAT), so pfSense is filtering only public IPv4 addresses. Local DNS was disabled for security reasons, and the DHCPd is running on another machine inside the internal LAN.
Since I want to install a SquidProxy and perhaps some filtering with SquidGuard the obvious idea is to put everything on the main firewall, but I'm not sure if it's a good practice. But I don't know if theres any viable option. The squid must be run in transparent mode, so the users don't know they are behind a proxy.
Best Answer
Best practices are to separate the role of network firewall from everything else. Generally.
The reasoning behind this is that the more software you have running alongside your firewall, the greater the risk of it becoming compromised through a bug in other software -- and if someone compromises your firewall, they effectively own your network (or at least the partition thereof "guarded" by that firewall).
However, typically this is easily mitigated by simply denying access from the outside world, as that's where most attempted attacks typically originate. Since there's no need for "outsiders" to be using your proxy (and plenty of reason for you to want to deny them that anyway), then you can easily just configure your firewall to drop/reject such connections coming from outside your network. (For my part, even though I use SSH to manage my Linux-based firewall and allow SSH into my network from outside, outside SSH connections actually get port forwarded to a separate server inside my network, from which I can hop to the firewall if I need to, rather than accepting them directly at the firewall. Simply because it reduces the attack surface on my firewall itself.)
This does still leave your firewall exposed to being compromised by way of a vulnerability in Squid from a malicious user inside your network. Whether this risk is serious enough to warrant the effort of installing Squid on a completely separate box (it is doable even for a transparent proxy configuration as you're asking for, but does add complexity) or not is a trade-off you have to consider for yourself -- if this is just a home network, probably not worth the hassle, but if this is the internet gateway for a large school district or an ISP, then you must very seriously consider the risk of attack from within.
As with all security issues, it's a matter of trade-offs. If in doubt, however, my recommendation is to follow the best practices here and put that proxy on a separate box -- better safe than sorry, especially when talking about your firewall!