Dansguardian package for 2.0
-
dumb question…but how do i install this package? i am on 2.0.1 amd64 iso
-
It's on system -> packages :)
-
Version 0.1.5 is out with some fixes and LDAP group based access lists.
-
Create group acl based on LDAP group name you want to filter
-
Define userlist frequency update
-
Apply ldap config
-
-
How do I see the logs and reports of whats blocked and what was searched from my network?
-
The dansguardian log file is /var/log/dansguardian/access.log
The sarg package will do it on gui but only when dansguardian report is set to squid format.
-
I just came across this and this is great news! I've been hoping for this to be added so I can give pfsense a full try. Is this compatible with squid-reverse? If so, would I load squid-reverse first or vice versa?
-
I just came across this and this is great news! I've been hoping for this to be added so I can give pfsense a full try. Is this compatible with squid-reverse? If so, would I load squid-reverse first or vice versa?
I'ts compatible with any squid version on pfsense.
Install squid package first and then dansguardian.
-
I originally got a little install-happy when I saw it and just started loading stuff. For some reason the dansguardian menu never showed up so I removed all packages and started again - this time slower. So I installed the squid-reverse package and made sure I could use the proxy first. That was working after I added the firewall rule to allow 3128. Then I loaded the dansguardian package (menu showed up this time) and added firewall rule to allow 8080 (I removed the 3128 rule). I can telnet into port 8080 but it isn't passing web pages back. Is there another firewall rule I am missing or something else I need to get basic default functionality up?
Also, how do you donate towards a package?
-
Did you configured squid ip and port on dansguardian daemon settings?
-
yea, 127.0.0.1 and port 3128. I tried to keep a lot of defaults just to get it working and then I'll tweak the things I want afterwards. Still no go though.
-
try to run it on console/ssh
/usr/local/etc/rc.d/dansguardian start
-
I think it is already started. Both squid and dansguardian services show as being started. I can open a connection to port 8080 so I know it is listening. Perhaps dansguardian and squid just aren't talking yet? I have squid listening on loopback. Do I need a firewall rule to allow loopback traffic?
-
No, loopback traffic is Allowed by default.
What do you see in dansguardian logs?
-
Hmm… I restarted the services and now squid won't start. This is actually what I had happening the first time I set it up. I get the following when I try to start it from the command line:
2012/03/26 20:52:00| parseConfigFile: squid.conf:18 unrecognized: 'sslcrtd_children'
2012/03/26 20:52:00| ACL name 'all' not defined!
FATAL: Bungled (null) line 182: http_reply_access allow all
Squid Cache (Version 2.7.STABLE9): Terminated abnormally. -
Dansguardian package does not force a squid install if you have squid already installed. Try to reinstall squid package.
-
I fixed it! ;D I guess somehow a line got removed from the squid conf. I just added
acl all src 0.0.0.0/0.0.0.0
to the custom options and now both squid and dans is working.
-
Is it possible to have Active Directory pass-through authentication so that users don't have to enter a user name and password to browse through squid/dans?
-
I did it last week with squid + samba + Kerberos but dansguardian ntlm plugin could not detect squid ntlm responses.
The way I got it working was squid with ntlm or negociate then dansguardian then another squid in cache mode.
I did a smal post in portugueses forum with steps I did. Try to google translate it :)
http://forum.pfsense.org/index.php/topic,47532.msg250366.html#msg250366
-
So I am following your posts on what you did for the samba authentication. Everything went ok and I ran the kinit command ok but the domain join returns the following:
net ads join -U MyAdminAccount@MYDOMAIN.LOCAL
Host is not configured as a member server.
Invalid configuration. Exiting….
Failed to join domain: This operation is only allowed for the PDC of the domain.Perhaps it is just easier if I post my files. If you assume the following:
AD Domain is mydomain.local
PDC Emulator DC is mydc.mydomain.local
Admin Account for domain join is MyAdminAccount
pfsense host name is pfsenseIs this configuration correct?
/etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/ksadmind.log [libdefaults] default_realm = MYDOMAIN.LOCAL. dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC [realms] PRIVATE.V.VNET = { kdc = mydc.mydomain.local.:88 admin_server = mydc.mydomain.local.:749 default_domain = domain. } [domain_realm] .domain. = MYDOMAIN.LOCAL. domain. = MYDOMAIN.LOCAL. [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
/etc/samba.smb.conf
[global] netbios name = MYDC workgroup = MYDOMAIN realm = MYDOMAIN.LOCAL server string = Domain Proxy Server encrypt passwords = yes security = ADS password server = mydc.mydomain.local log level = 3 log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap preferred master = No dns proxy = No ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind use default domain = yes cups options = raw
/var/heimdal/kdc.conf
[kdcdfefaults] acl_file = /var/heimdal/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab v4_mode = noreauth [libdefaults] default_realm = MYDOMAIN. [realms] MYDOMAIN. = { master_key_type = des-cbc-crc supported_enctypes = des3-hmac-sha1:normal arcfourhmac: normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 }
/var/heimdal/kadm5.acl
*/admin@MYDOMAIN.LOCAL *
Additional Squid parameters (I added the acl all src 0.0.0.0/0.0.0.0 to fix my previous issue)
acl all src 0.0.0.0/0.0.0.0;auth_param ntlm program /usr/local/bin/ntlm_auth -use-cached-creds -helper-protocol=squid-2.5-ntlmssp;auth_param ntlm children 30;on auth_param ntlm keep_alive;proxy_auth REQUIRED acl password;http_access allow password
I wasn't completely sure about the pathing in the config files as they weren't changed in the other guy's posts that you were helping. Also I wasn't sure which NETBIOS name to use in the samba config and exactly what is supposed to be in the kadm5.acl file. I did a copy/paste of the Proxy parameters but it didn't paste right so that's why I wanted to confirm those as well.
Also for when you specify the PDC, does this have to be the DC with the PDC emulator role or can it be any DC?
Thanks in advance!
-
wheelz,
some checks:
-
Make sure pfsense machine name isn't the same name as any user on your active directory
-
perform a kinit/klist to make sure you have kerberos comunication do active directory before net ads join
-
Pay attention on . and UPPERCASES of kerberos config files, follow exactly what is on squid howto.
att,
Marcello Coutinho -