We have recently implemented (native) IPv6 in our network. Everything is working very well so far, but our IPv4 network passes all HTTP traffic through Squid (2.7.STABLE6 on Ubuntu Server) + SquidGuard for filtering purposes. This is all managed via a redirect rule on the firewall (via Shorewall).
I'm wondering now if it's possible to do the same thing with IPv6 at all. If it's any help we're using Shorewall6 for IPv6 traffic.
This is kinda.. tricky. As far as I can tell, there are going to be two major barriers here:
Redirection support
There are a few different methods out there for getting web traffic transparently to a web filter device - WCCP, a custom protocol (common with, say, a cisco firewall + websense), or a good old-fashioned SPAN/mirror port.
Based on the systems in use, I'm going to guess your implementation uses WCCP, which unfortunately doesn't seem to have IPv6 support.
Squid itself
Squid 2.7 doesn't support IPv6, so you'll need newer Squid. Not a huge issue, but not trivial either.
URL filtering in IPv6 kinda throws out a lot of the existing solutions - good options for you, at this point:
Upgrade Squid for IPv6 support, and use proxy configs on the client systems. More unpleasant to manage, for sure, but as an added bonus your filter system gets visibility into HTTPS streams.
You may have some success with a solution that can take a SPAN port stream and sends RST packets to break requests that are denied, but I'd be leery about those systems working right with IPv6 (and it's a pretty bad solution from a technical perspective, anyway)
Most of the "Unified Threat Management" appliances out there, the Fortinets and Astaros of the world, have integrated URL filtering - if you're open to doing some rearranging, sticking one of those in as a transparent inline device, or even replacing your firewall with one, would do the trick.
