Dansguardian package for 2.0

dig1234

Sent. That looks cool, if that could be incorporated into the package along with the missing cgi we may be in business.

Send a link to me on private Message.

If it is the same certs Every browser has to check sites, I think there is no problem.

EDIT

Are these the certs you did install?

http://www.FreeBSD.org/cgi/ports.cgi?query=Cert&stype=all&sektion=security

Port description for security/ca_root_nss

Root certificates from certificate authorities included in the Mozilla
NSS library and thus in Firefox and Thunderbird.

This port directly tracks the version of NSS in the security/nss port.

Can you try to install this package and see if you get the same result?

amd64
http://e-sac.siteseguro.ws/packages/amd64/8/All/ca_root_nss-3.13.2.tbz

i386
http://e-sac.siteseguro.ws/packages/8/All/ca_root_nss-3.13.2.tbz

This package install /usr/local/share/certs/ca-root-nss.crt and a symlink to /etc/ssl/cert.pem

marcelloc

The certs looks the same on both.

On freebsd/pfsense the package installs a unique file with all certs with info and on your tar It's a file for each ca.

I'm getting the same result here. with or without cert check enabled I can see all ssl sites not in blacklist.

But when I enable ssl mitm log show all ssl as

DENIED Certificate supplied by server was not valid: unable to get local issuer certificate CONNECT 0 0 SSL Site 1 200 - Default

Tried to copy pfsense created ca to /etc/ssl/certs/ with no success.

If you can test this, edit /usr/local/pkg/dansguardian.conf.template file to fix sslcertificatepath from pfsense ca-root package
#SSL certificate checking path
#Path to CA certificates used to validate the certificates of https sites.
sslcertificatepath = '/etc/ssl/certs/'

After this file edit, apply conf on dansguardian gui.

att,
Marcello Coutinho

dig1234

You also need to have symlinks to each of the pem files. The name of symlink will be the computed hash of the cert. Without the properly named symlinks, dansguardian will not see the pem files.
See this site for a script to create a correct symlink: http://wiki.openwrt.org/doc/howto/wget-ssl-certs

Or if you use the tars I sent they already have all the symlinks setup just do tar -xzf for both folders.

@marcelloc:

The certs looks the same on both.

On freebsd/pfsense the package installs a unique file with all certs with info and on your tar It's a file for each ca.

I'm getting the same result here. with or without cert check enabled I can see all ssl sites not in blacklist.

But when I enable ssl mitm log show all ssl as

DENIED Certificate supplied by server was not valid: unable to get local issuer certificate CONNECT 0 0 SSL Site 1 200 - Default

Tried to copy pfsense created ca to /etc/ssl/certs/ with no success.

If you can test this, edit /usr/local/pkg/dansguardian.conf.template file to fix sslcertificatepath from pfsense ca-root package
#SSL certificate checking path
#Path to CA certificates used to validate the certificates of https sites.
sslcertificatepath = '/etc/ssl/certs/'

After this file edit, apply conf on dansguardian gui.

att,
Marcello Coutinho

marcelloc

No luck. :(

using tar or using ca-root package and linking pfsense ca created I always get the same error.

using only cert check, all https that is not on blacklists goes with no erros
using ssl mitm every https that is not on whitelist fails with

The only thing that changed is that the error now says:
DENIED Failed to negotiate ssl connection to client CONNECT 0 0 SSL Site 1 200

I did removed all certs, including ca-root package and folders.

I'll keep trying to identify how to reach each error.

dig1234

Your symlinks are probably not working. You should have in the /etc/ssl/certs folder about 180 symlinks that look like similar to these:
f060240e.0
f081611a.0
f15719eb.0
f3377b1b.0
f387163d.0
f39fc864.0
f4996e82.0

If you cat one of them you should see a certificate pem file.
This has nothing to do with the generated pfsense CA certificate. This is for dansguardian to verify the CA's on the genuine certs it's receiving from websites. It uses the symlinks to quickly locate the correct CA cert.
That's what cert checking does it checks the website cert against a repository of vaild public CA certs. What's interesting is that dansguardian apparently always does the cert checking if mitm is ON.

I wonder how we can get that cgi, from the source code it appears to be doing some cookie work. The file mitm.cgi does not appear in the dansguardian-2.12.0.0.tar.gz tarball is that what you're working with?

marcelloc

I could not reproduce this file call, just errors or ssl sites normal access.

Try to copy error template to this cgi script.

The base folder is /usr/local/www

I'll commit latest package code with some fixes I did.

mkaishar

dumb question…but how do i install this package? i am on 2.0.1 amd64 iso

marcelloc

It's on system -> packages :)

marcelloc

Version 0.1.5 is out with some fixes and LDAP group based access lists.

Create group acl based on LDAP group name you want to filter
Define userlist frequency update
Apply ldap config

asterix

How do I see the logs and reports of whats blocked and what was searched from my network?

marcelloc

The dansguardian log file is /var/log/dansguardian/access.log

The sarg package will do it on gui but only when dansguardian report is set to squid format.

wheelz

I just came across this and this is great news! I've been hoping for this to be added so I can give pfsense a full try. Is this compatible with squid-reverse? If so, would I load squid-reverse first or vice versa?

marcelloc

@wheelz:

I just came across this and this is great news! I've been hoping for this to be added so I can give pfsense a full try. Is this compatible with squid-reverse? If so, would I load squid-reverse first or vice versa?

I'ts compatible with any squid version on pfsense.

Install squid package first and then dansguardian.

wheelz

I originally got a little install-happy when I saw it and just started loading stuff. For some reason the dansguardian menu never showed up so I removed all packages and started again - this time slower. So I installed the squid-reverse package and made sure I could use the proxy first. That was working after I added the firewall rule to allow 3128. Then I loaded the dansguardian package (menu showed up this time) and added firewall rule to allow 8080 (I removed the 3128 rule). I can telnet into port 8080 but it isn't passing web pages back. Is there another firewall rule I am missing or something else I need to get basic default functionality up?

Also, how do you donate towards a package?

marcelloc

Did you configured squid ip and port on dansguardian daemon settings?

wheelz

yea, 127.0.0.1 and port 3128. I tried to keep a lot of defaults just to get it working and then I'll tweak the things I want afterwards. Still no go though.

marcelloc

try to run it on console/ssh

/usr/local/etc/rc.d/dansguardian start

wheelz

I think it is already started. Both squid and dansguardian services show as being started. I can open a connection to port 8080 so I know it is listening. Perhaps dansguardian and squid just aren't talking yet? I have squid listening on loopback. Do I need a firewall rule to allow loopback traffic?

marcelloc

No, loopback traffic is Allowed by default.

What do you see in dansguardian logs?

wheelz

Hmm… I restarted the services and now squid won't start. This is actually what I had happening the first time I set it up. I get the following when I try to start it from the command line:

2012/03/26 20:52:00| parseConfigFile: squid.conf:18 unrecognized: 'sslcrtd_children'
2012/03/26 20:52:00| ACL name 'all' not defined!
FATAL: Bungled (null) line 182: http_reply_access allow all
Squid Cache (Version 2.7.STABLE9): Terminated abnormally.