Dansguardian package for 2.0
-
still have a lot more testing with SSL man-in-middle but when I try to access https sites, i'm getting the danguardian denied page "Certificate supplied by server was not valid"
still have to check logs and read the docs from danguardian site on this feature.
-
I'm on the same point.
I did not found anything usefull on internet.
This is a most wanted experimental and non documented feature ever. :(
-
Hi mschiek01,
Postfix and dansguardian with clamav can work together, this setup I've tested sucessfully.
Can you post your pfsense version?
Did you tried a full clamav uninstall as described on previous post?
This way I can simulate the problem.I did get it to work. Here is what I did:
Uninstall, postfix, dansguardian & mailscanner
reinstall HAVP
uninstall HAVP & deleted havp user
reinstall postfix, mailscanner, dansguardian
Trying to just pkg_delete the clamv packages was showing errors concerning the packaged deletion.Stopped working again with "error connecting to clam d socket"
check the config file make sure it points to the right clamd socket. In this case on mine the on the /usr/local/etc/clamd.conf clamd socket is located on /var/run/clamd.sock
So I edited the /usr/local/etc/dansguardian/contentscanners/clamdscan.conf to make sure it points to the right location: In mine I change it to:
# edit this to match the location of your ClamD UNIX domain socket clamdudsfile = '/var/run/clamd.sock'Now the dansguardian + av content scanner is working great! I've test it to download eicar test file signature and it detects the signature.
However, I have additional question. I've set the proxy server to dansguardian port in the browser config file on http, ftp and https. But it seems dansguardian does not scan https protocol. Is that normal?
-
It will scan https url and domains only until whe find a way to create "valid" men-on-the-middle certs.
The point is That dansguardian 2.12 is the first release with full ssl filtering support But it is on experimental stage and not documented at all. We could compile it with ssl and also patched dansguardian-devel ports to help bsd users to get it working.If you want to test or reach the same point we(cino and me) are, go on system cert manager, create a CA certificate and a server certificate using this ca. On dansguardian, apply these certificares on second tab and finally enable ssl filtering option on groups tab.
-
Are there any issues getting this to work with a carp interface. Works fine with LAN but trying to get it working with CARP.
-
listen dansguardian on loopback and create a nat rule from your virtual ip to 127.0.0.1
-
It will scan https url and domains only until whe find a way to create "valid" men-on-the-middle certs.
The point is That dansguardian 2.12 is the first release with full ssl filtering support But it is on experimental stage and not documented at all. We could compile it with ssl and also patched dansguardian-devel ports to help bsd users to get it working.If you want to test or reach the same point we(cino and me) are, go on system cert manager, create a CA certificate and a server certificate using this ca. On dansguardian, apply these certificares on second tab and finally enable ssl filtering option on groups tab.
I have same problem with Cino mentioned when using SSL filtering, the dansguardian itself reject/block the site since the certificate is not valid. I thought the client's browser will warns the user about invalid certificates (I've used astaro gateway before) then the user can choose to continue. Maybe since this very experimental stage it does not work well yet.
On another note, a little bit out of topic. I've used proxy.pac and wpad.dat to autoconfigure the proxy settings on the client computers. I put proxy.pac, wpad.dat and wpad.da on local webserver on the network and assign wpad dns name to that particular webserver. This is working fine for most of the computers, most computers connect though the proxy automatically.
However it seems not all client using the proxy settings so when I block outgoing port 80 some client just can't connect to the internet. I've checked the settings and I'm sure all settings is the same (Auto detect settings are ticked). So I did NAT to redirect outgoing port 80 from the internal network to the dansguardian port and its working fine and making sure all clients browse thru the filter.
But with this method I have little trouble bypassing the filter for some host. On the pfsense squid configuration menu it has the option to enable transparent proxy and select exception list of IP are permitted to bypassing the proxy. I'm not sure how to do it on using NAT rule.
EDIT: one more thing. If using wpad/proxy.pac config it will bypass captive portal. Users can browse the internet but can't check emails on outlook since the ports are blocked by the captive portal, cannot login to captive portal too since it nevers shows the login page. If I did not use proxy/wpad thing (connect directly and use port redirection (transparent) the captive portal is working properly). I guess this is the drawback using wpad/proxy auto config.
-
Hi mschiek01,
Postfix and dansguardian with clamav can work together, this setup I've tested sucessfully.
Can you post your pfsense version?
Did you tried a full clamav uninstall as described on previous post?
This way I can simulate the problem.I did get it to work. Here is what I did:
Uninstall, postfix, dansguardian & mailscanner
reinstall HAVP
uninstall HAVP & deleted havp user
reinstall postfix, mailscanner, dansguardian
Trying to just pkg_delete the clamv packages was showing errors concerning the packaged deletion.Stopped working again with "error connecting to clam d socket"
check the config file make sure it points to the right clamd socket. In this case on mine the on the /usr/local/etc/clamd.conf clamd socket is located on /var/run/clamd.sock
So I edited the /usr/local/etc/dansguardian/contentscanners/clamdscan.conf to make sure it points to the right location: In mine I change it to:
# edit this to match the location of your ClamD UNIX domain socket clamdudsfile = '/var/run/clamd.sock'Thanks my configuration was the same. I made the change and it is working now.
Now the dansguardian + av content scanner is working great! I've test it to download eicar test file signature and it detects the signature.
However, I have additional question. I've set the proxy server to dansguardian port in the browser config file on http, ftp and https. But it seems dansguardian does not scan https protocol. Is that normal?
-
think there may be a permission issue with clamav… It doesnt start when i reboot the box. This is what I get when I manually start the process:
./clamav-clamd start mkdir: /var/run/clamav: File exists Starting clamav_clamd. ERROR: Can't open /var/log/clamav/clamd.log in append mode (check permissions!). ERROR: Can't initialize the internal logger ./clamav-clamd: WARNING: failed to start clamav_clamdthe permissions for the files are 0644, wheel/root
when i change it to 777, its able to start -
Cino,
If you apply dansguardian config after reboot it fixes the permission?
-
Cino,
If you apply dansguardian config after reboot it fixes the permission?
It has not in the past.. I'll test again but I had to reboot my box yesterday… then i disabled the ssl man-in-middle(would be a apply to dansguardian) and had to manually set the permissions
-
Ok, I'll check it and socket file location
-
still have a lot more testing with SSL man-in-middle but when I try to access https sites, i'm getting the danguardian denied page "Certificate supplied by server was not valid"
still have to check logs and read the docs from danguardian site on this feature.
I am at the same point with ssl mitm. I found in the dansguardianf1.conf file there are two options:
one for mitm (sslmitm = on) and one for cert checking (sslcertcheck = off), however even with cert checking off, I'm still getting that message:
"Certificate supplied by server was not valid"
So either that option is not sticking or I'm missing something. I had a thought of actually feeding the cert checking function with all the trusted root certs from a popular browser. According to dansguardian.conf they should be placed in '/etc/ssl/certs/' though I'm not sure what format or exactly how to batch export them all… Thoughts? -
I am at the same point with ssl mitm. I found in the dansguardianf1.conf file there are two options:
one for mitm (sslmitm = on) and one for cert checking (sslcertcheck = off), however even with cert checking off, I'm still getting that message:
"Certificate supplied by server was not valid"Are you sure you deselected sslmint option(CTRL+CLICK)?
Every time I test dansguardian package, I can enable and disable this option via gui. -
I am at the same point with ssl mitm. I found in the dansguardianf1.conf file there are two options:
one for mitm (sslmitm = on) and one for cert checking (sslcertcheck = off), however even with cert checking off, I'm still getting that message:
"Certificate supplied by server was not valid"Are you sure you deselected sslmint option(CTRL+CLICK)?
Every time I test dansguardian package, I can enable and disable this option via gui.Yes toggling mitm works. Its the cert checking that won't disable. Even through the conf file.
-
Can you check on dansguardianfx.conf if this option is set on on all groups you have?
At my setup it changes from on/off without issues.
-
I should have been more clear, it toggles on and off in the conf file without issue. But once I enable mitm it apparently automatically enables cert checking Even though the conf file still says certcheck=off. I'm assuming this is the reason we are getting that invalid server cert error.
Maybe dansguardian has a built in dependency when you enable mitm you get cert checking. This makes sense because the user/browser can no longer check the authenticity of the original cert since we are only presenting him with a forged cert. The solution would be (as I see it) to fill the /etc/ssl/certs/ with a repository of the valid Root CAs on the internet and let the cert checking do its job.. That should clear the error.
@marcelloc:Can you check on dansguardianfx.conf if this option is set on on all groups you have?
At my setup it changes from on/off without issues.
-
Ok this appears to have worked. I no longer get the "Certificate supplied by server was not valid". However I now get a 404. It appears to be trying to use some sort of redirecting cgi that we don't have in the package yet?
Now when trying to go to https://mail.google.com it redirects to a url: http://PFSENSE_ip/modules/guardian/cgi-bin/mitm.cgi?https://mail.google.com/mail/?tab=wm which triggers a 404.
Bottom line I think I'm one step closer to working mitm…Here's what I did (maybe someone can suggest a cleaner route, I'm pretty new to this..)
-Ran a live ubuntu iso in virtualbox
-Grabbed the folder /etc/ssl/certs (which is a bunch of symlinks to the mozilla folder)
-Grabbed the folder /usr/share/ca-certificates/mozilla
-dumped them in same locations on pfsense
-violla certs now pass dansguardian inspectionNext step find the missing cgi and drop in www path?
-
It steps on mitm cert verify and on ssl filter?
If so, this is really a GOOD news! :D
-
Yes with mitm ON and cert check ON! Try it you'll get a 404 now..
If there's a way to post the tar's of the cert folders, I would but I'm not sure if that's allowed?It steps on mitm cert verify and on ssl filter?
If so, this is really a GOOD news! :D