Dansguardian package for 2.0

itoxygen

PfSense 2.0.1 install Dansguardian v.0.1.2
error code
php: /pkg_edit.php: The command '/usr/local/etc/rc.d/dansguardian stop' returned exit code '1', the output was 'dansguardian not running? (check /var/run/dansguardian.pid).'
Jan 30 22:13:19 dansguardian[38774]: Error reading custom image file.

where is problem?

marcelloc

@itoxygen:

PfSense 2.0.1 install Dansguardian v.0.1.2
error code
php: /pkg_edit.php: The command '/usr/local/etc/rc.d/dansguardian stop' returned exit code '1', the output was 'dansguardian not running? (check /var/run/dansguardian.pid).'
Jan 30 22:13:19 dansguardian[38774]: Error reading custom image file.

where is problem?

try to start on console:
/usr/local/etc/rc.d/dansguardian start

itoxygen

Dansguardian service status is running, but system logs error message

Jan 30 22:36:57 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/dansguardian stop' returned exit code '1', the output was 'dansguardian not running? (check /var/run/dansguardian.pid).'
Jan 30 22:36:57 dansguardian[50366]: Error reading custom image file.

Content filter not working

marcelloc

Are you configuring client browser to use squid port or dansguardian port?

Can you paste return from:
ps ax | grep -i dansguardian

itoxygen

Squid transparent proxy mode port number 3128, I add the adress to the black list of squid, it works without problem

$ ps ax | grep -i dansguardian
  130  ??  I      0:00.00 /usr/local/sbin/dansguardian
  366  ??  I      0:00.00 /usr/local/sbin/dansguardian
  527  ??  I      0:00.00 /usr/local/sbin/dansguardian
  557  ??  I      0:00.00 /usr/local/sbin/dansguardian
  895  ??  I      0:00.00 /usr/local/sbin/dansguardian
1176  ??  I      0:00.00 /usr/local/sbin/dansguardian
1288  ??  I      0:00.00 /usr/local/sbin/dansguardian
1464  ??  I      0:00.00 /usr/local/sbin/dansguardian
1530  ??  I      0:00.00 /usr/local/sbin/dansguardian
48666  ??  S      0:00.00 sh -c ps ax | grep -i dansguardian
48931  ??  S      0:00.00 grep -i dansguardian
63558  ??  Is    0:00.02 /usr/local/sbin/dansguardian
63861  ??  I      0:00.01 /usr/local/sbin/dansguardian

marcelloc

@itoxygen:

Squid transparent proxy mode port number 3128, I add the adress to the black list of squid, it works without problem

Your dansguardian is running.

Instead of using squid on transparent mode, config your browser to use dansguardian ip and port.

If you want o improve your transparente setup, configure WPAD/PAC on your DHCP.

itoxygen

my system configurations was working without problem on the squidquard, I unistalled squidquard and i installed dansquardian but now filter function is not working

marcelloc

@itoxygen:

my system configurations was working without problem on the squidquard, I unistalled squidquard and i installed dansquardian but now filter function is not working

Try a simple https://facebook.com with squid transparent + squidguard to see how transparent proxy is a ilusion of web filtering.

Dansguardian must stays in front of squid and a proxy configuration must exist to filter https and authenticate users.

If you really need transparent squid, you will need to setup a squid -> dansguardian -> squid.

Dansguardian does not works like squidguard, take a look on dansguardian website do understand better how it works.

itoxygen

Can you inform me with a more detailed explanation? If it is possible an explanation step by step for the settings of dans guardian will be better for me. I really appreciate your help. Thank you very much.

marcelloc

@itoxygen:

Can you inform me with a more detailed explanation? If it is possible an explanation step by step for the settings of dans guardian will be better for me. I really appreciate your help. Thank you very much.

If you understand the transparent proxy limitation, follow these links to get how automatic proxy configuration works

WPAD/PAC info
http://www.davidpashley.com/articles/automatic-proxy.html

http://www.grape-info.com/doc/win2000srv/internet-gw/wpad/index.html

Cino

i'm going to keep my auto proxy config pointing directly to squid's port but on certain computers, manually enter the port for dansguardian.

For client ip logging from dansguard to squid, what i'm finding is there are 2 IPs, the client IP and 127.0.0.1. Going to http://checker.samair.ru/ show's this request when I have either forwardfor and/or usexforwardfor within dansguard and Disable X-Forward in squid unchecked.

squid logs only shows 127.0.0.1.. I'll have to do some more research and do some packet sniffing to verify whats going on…. Its been awhile, but i remember this work prefect when I was using 'client - hvap - squid'.. Squid reported the real client IP in its logs...

EDIT: I did a quick tcpdump and dansguard seems to sending the client IP under X-Forward-For within HTTP traffic.

marcelloc

If you change dansguardian log to squid format don't get the same result as squid log?

EDIT

If I have some time tomorrow I'll see if I can find how HAVP before squid don't affect squid log.

Cino

@marcelloc:

If you change dansguardian log to squid format don't get the same result as squid log?

true.. since i want to have the bulk of the clients going to squid directly and a couple going to dansguard then squid.. It would be nice to have it one log for lightsquid. No biggie right now as I think its a squid3 issue and not dansguardian…. i would downgrade to squid2 but need ipv6 for a certain setup i have..

i'll keep messing around with it but since dansguardian can out put a squid log, there is a workaround.

Cino

i got it to work… some how...lol

thanks again for all your help... I'm still going to mess around with the settings but squid3 is logging the client ip via dansguardian

I did add this to my squid options:
follow_x_forwarded_for allow localhost
forwarded_for delete

sqstat still shows the localhost when I do real-time monitoring but the log shows the client ip.. Which in away makes sense

marcelloc

package version 0.1.3 is out

main chages:

• cron updates for blacklist and clamav

• template field for custom error page

• fix some typos

still missing

• SSL men in the middle feature

Cino

looking good!

How does the users page work? i see the example you gave but not sure how to set it up for IP.. I enabled IP Address auth, then manually edit /usr/local/etc/dansguardian/lists/authplugins/ipgroups. That worked for me but would like to be able to use the GUI….

Also going to try it with freeradius2 with squid but going to see if I could use it based on IP/Subnets instead of usernames...

marcelloc

I've not used auth by ip yet.

The first step to users tab is to create a second group

for example:
set groupname to fullaccess
set Filter Group Mode to unfiltered

save config

goto users tab and add a ip to this user list and test.

EDIT

I'll need to push a patch to fill up /usr/local/etc/dansguardian/lists/authplugins/ipgroups when ipauth is selected.

Thanks again cino for the info.

Cino

in-case someone is looking, i found a ipv6 patch for dansguardian.. dont know if it'll work but wanted to share

http://tech.groups.yahoo.com/group/dansguardian/message/24827

patch

http://saschahlusiak.de/linux/dansguardian-ipv6.diff

marcelloc

Cino,

Do you have a freebsd8.1 vm with ports to test this patch?

Cino

i do not… i think i have still have pc-bsd 8.1 vm on my home server...which i've used to get some drivers for the lcdproc package.. let me see if i can install a plain-jane freebsd 8.1 on it and see what i can do... been a while messing with patches and re-compiling ports... i'll search the forum as i think there were some basic how-to's...