So I thought I'd report back after a while regarding the Zywall. All-in-all, not a bad system, especially for the money. Very configurable. The web interface is a bit sluggish at times, but not horrible to use. And if the web interface annoys you, there is command line for everything, including some stuff you can't do from the web interface. Very modular system and pretty flexible. So far I have only come across one "well that is stupid" item.
When you set up content filtering, you create a profile, which defines what kind of content to filter and then you set a policy which selects to which systems the profile is applied. My thinking? Great, I set up a profile for social networking, another for audio/video streaming, another for Instant messaging sites, and so on. Then I can set up policies for each one applying them to the range of IPs I want to have filtered and enable/disable as needed. Turns out that when an is checked against the policies, the system goes to the first policy match and applies the profile associated. If the URL doesn't fall foul of that profile, it is allowed past, even if it would be blocked by another active profile. This means that a source IP address can only match one policy. Not a huge deal, but it prevents you from doing something like setting up general filtering for something, say adult content, and then setting up scheduled filtering on something else, like email or YouTube.
Now for the down side.... I'm not a whole lot closer to solving my problem than I was before. The reason? Damn SSL. All the content and URL filtering is rendered useless since most things use SSL connections these days. Block mail.google.com? Not a problem, load up https://mail.google.com
. Block https traffic altogether and you might as well shutdown anything you have to log in to. The Android Google Voice client? It uses an SSL conenction for all non-voice traffic so you can't even really block it. The security side of me says this is good. The network admin side of me is mightly annoyed.
So, as far and the parental blocking goes, I'm back to "you screw up with one thing and all access on all your devices goes away". I am going to keep the Zywall though. I have been meaning to replace my old Netgear for a long time and having network level virus scanning will certainly be nice.
I did take a bit of time to pull down and play with Untangle. I set up a test install in a VM and I must say, I was very impressed. Very easy to use and very nice interface. The content filter does slightly better at handling custom URLs than the Zywall does. However, it still suffers from the same SSL issues as the Zywall. Its content filter will block SSL connections, but only by IP address, not by URL, and you have to pay for the commercial content filter package for that. This brings me to the other point about Untagle. If you exceed the capabilities of the free (lite) setup and need to go with the commercial package, you pay dearly. Content filtering, which would be ~$90 a year for the Zywall is ~$270 a year for Untangle. While you get a little more in functionality, I don't think it is that much more.
The commercial Smoothwall appliances do SSL connection filtering, but I can't find a published price for them or for the per computer licenses needed when likely means that it falls into the "if you have to ask" category.
Just my thoughts and comments.