@kejianshi:

Like I said, the real problem is that it will be hard for me to know when I have a real problem and when its a dansguardian thing

Understood. There are a few situations where DG can cause problems even when properly setup and configured. In order to solve that issue, I implemented a bypass page. I know DG has it's own bypass capability, but I wanted to make sure DG would be completely out of the flow if I chose to bypass it.

Here's how it works… When you get blocked, DG presents a web page prompting your for an ID and password. If you enter the correct credentials (currently just check against a text file of user/password), it adds the IP address to a list of "unfiltered" IP's that do not get redirected to DG (via the firewall rules). It then manually force the rules to be reloaded. There is a little cron job that removes the IP from the list 15 minutes later.

Bill - thanks for your input.  I'll be watching out for the 2.6.0 snort package update as well as dialing in the snort rules.

Thanks.  Now to whitelist via IP the forum.pfsense.org site…  ;D

you are correct.

@jimp:

You cannot. What you're trying to do is just not possible with pfSense.

Hi jimp,

Thx for your replies.Having a network of pcs and a router on the same network please advice me which is the best configuration so as pfsense to be used.I don't need to set it up as a firewall nor as something else. All I need is to install a pfsense appliance between my network and the router so as to have a transparent web filtering without the need of ip changes on my network. Why wan port has to be on different ip rage than nat's ? If it is impossible please advice for the best alternative solution

thx in advance

what I'd like :  ROUTER=========PFSENSE/WEBFILTERING============PC
                      192.168.1.1/24========transparent ================.X/24

Looks like the pfBlocker widget uses the description for matching packet stats,, if the rule does not contain the aliasname matching packets will not add to the widget counters.

augh…last try is to reinstall...:\

Hi!

Just want to know if you managed to get it going? I'm stuck here with the same error (pfSense 2.0.3), and before I'm about to dig in I thought I should ask first. :-)

I thought about that, however PFSense is sitting between my modem and router as a firewall and does not handle DHCP \ Traffic Shaping. I chose this because the router I am using has a really good QoS and I love the gui that shows real time usage.

I am going to table this for now. Getting ready to leave town for a while and there is no reason to worry about it until I can get at least one more WAN connection to handle the traffic anyway.

Thanks for the suggestion.

Hi,

I run version 2.0.3. Package list doesn't show me "squid3-squidguard" but only "squidGuard".
Search engine on the whole forum for keyword "squid3-squidguard" brings me only this thread.

Is their a second repository to configure ? Or should I move to 2.1-RC release ?

Thanks for the support  ;).

Phil

@rjcrowder:

Would you (or anyone for that matter) be able to give me a quick overview? Or point me in the best place to look to get started?

so… it looks to me like the problem must be in the install of the clamav package (see /var/db/pkg/clamav-0.97.6). Likewise, I'd conjecture that the problem is based on something that is done via the "+CONTENTS" file... Can anyone give me a clue how this is used / interpreted during the install process?

The following error was encountered while trying to retrieve the URL: https://www.gmail.com/ Failed to establish a secure connection to 173.194.45.85 The system returned: [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH) Certificate does not match domainname: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials. Your cache administrator is admin@localhost.

but works with https://mail.google.com/mail/

I had wondered if it would be possible to build a https site with SSL and wrap it into the package so that when people get blocked it can divert them to a SSL/HTTPS blocking notification page.  The cert wouldn't match the website typed into the browser originally so it would react like most browsers react to a self signed cert but it wouldn't be just "error - sorry" message.

Just an idea.  I know little about how you packages are constructed, no idea how tough this is.  HTTPS is designed to keep people from being the "Man in the middle", so I feel your pain.

The error was showing squid2 instead of squid3.
That's why it's was not working.

You may need to enable ipv6 to get squid 3.3.5 listening on 2.0.3 as official package install is compiled with ipv6.

Assuming your routing is otherwise OK, if you have snort enabled, make sure it's not blocking that request. It's quite common for snort + blocking + HTTP preprocessors to block the package XML for one reason or another.