Installing the Dansguardian package in PFSense - One user's experience
-
I'll move the startup script somewhere else and try it again… but I'm fairly certain that it was never coming up - or at least not consistently.
This one might be a little off topic, but let me throw out another "feature" idea from something that I originally had working on my IPCop box. I had IPCop running with DG/Squid by using the copplus addon. In addition, found a script that got me started and then made some changes to implement a "Dansguardian Bypass" that would allow you to enter a password and bypass filtering for a time period. It's nice because sometimes DG is overly aggressive in filtering. I don't remember where I got the setup script, but on IPCop it was doing perl CGI to a web server on port 81. It also looks like someone did the same thing with PHP on ClearOS (see http://honestpchelp.com/2011/clearos-dansguardian-accessdenied-php-bypass-script/).
I'm going to play around trying to get it to work on PFSense. However, the forum instructions I found for setting up a web server required installing a couple packages and mysql (see http://forum.pfsense.org/index.php/topic,47086.msg247364.html#msg247364)… it just seemed a little excessive to me since there's already a web server running for the web interface. Is there an easy way to get a web server instance that supports perl CGI or PHP on another port? Or... better yet, has anyone already implemented the bypass feature?
-
This one might be a little off topic, but let me throw out another "feature" idea from something that I originally had working on my IPCop box. I had IPCop running with DG/Squid by using the copplus addon. In addition, found a script that got me started and then made some changes to implement a "Dansguardian Bypass" that would allow you to enter a password and bypass filtering for a time period. It's nice because sometimes DG is overly aggressive in filtering. I don't remember where I got the setup script, but on IPCop it was doing perl CGI to a web server on port 81. It also looks like someone did the same thing with PHP on ClearOS (see http://honestpchelp.com/2011/clearos-dansguardian-accessdenied-php-bypass-script/).
It's a dansguardian feature, but I did not included on gui. check dansguardian.conf to see the secret.
I'm going to play around trying to get it to work on PFSense. However, the forum instructions I found for setting up a web server required installing a couple packages and mysql (see http://forum.pfsense.org/index.php/topic,47086.msg247364.html#msg247364)… it just seemed a little excessive to me since there's already a web server running for the web interface. Is there an easy way to get a web server instance that supports perl CGI or PHP on another port? Or... better yet, has anyone already implemented the bypass feature?
I'll test it this week.
-
Or… better yet, has anyone already implemented the bypass feature?
I'm in the same position having come from Smoothwall where I had this feature working. Exactly as you say, DG can be a little harsh at times so I simply implemented the "Bypass Button" which gave access for 10 minutes and then reset. Mine wasn't as sophisticated as a userid and password since my filtering is only to provide a warning almost, I'm not really trying to ban my daughters from anything on the net, I'm just trying to stop them accessing stuff accidentally that they probably don't want (and of course remove adverts and such).
But anyway, I'm rambling on, if you do get that feature working I'd be really interested in how you've done it for this implementation with PFsense.
-
Dansguardian override works like a champ… Here is what I did.
1. Installed the vhosts package.
I had one minor issue with this. The service status page doesn't seem to correctly display the fact that it is running. I found a workaround on the forums to fix it http://forum.pfsense.org/index.php/topic,33804.0.html.2. Followed the instructions for setting up the override page from here http://honestpchelp.com/2011/clearos-dansguardian-accessdenied-php-bypass-script/.
This was pretty straight forward, I just had to change the directories to be appropriate to the light http web server. For example, I put the accessdenied.php file in the directory /usr/local/vhosts/vhost01.local/. Of course, I also had to change the URL's to be appropriate to my box and port. I put the password text file in /var/etc/. -
On a related note… It did not work when I tried booting without the script to restart dansguardian at the end of the bootup. Without the script it appears that dansguardian starts up, squid starts after and then dansg eventually shuts down.
-
I could not reproduce this issue but I'll include on dansguardian gui an option to force squid startup before dansguardian.
-
This one might be a little off topic, but let me throw out another "feature" idea from something that I originally had working on my IPCop box. I had IPCop running with DG/Squid by using the copplus addon. In addition, found a script that got me started and then made some changes to implement a "Dansguardian Bypass" that would allow you to enter a password and bypass filtering for a time period. It's nice because sometimes DG is overly aggressive in filtering. I don't remember where I got the setup script, but on IPCop it was doing perl CGI to a web server on port 81. It also looks like someone did the same thing with PHP on ClearOS (see http://honestpchelp.com/2011/clearos-dansguardian-accessdenied-php-bypass-script/).
It's a dansguardian feature, but I did not included on gui. check dansguardian.conf to see the secret.
I'm going to play around trying to get it to work on PFSense. However, the forum instructions I found for setting up a web server required installing a couple packages and mysql (see http://forum.pfsense.org/index.php/topic,47086.msg247364.html#msg247364)… it just seemed a little excessive to me since there's already a web server running for the web interface. Is there an easy way to get a web server instance that supports perl CGI or PHP on another port? Or... better yet, has anyone already implemented the bypass feature?
I'll test it this week.
It appears that there is no way to get the GUI to not overwrite my changes when the config is saved (for the access denied php page that I put in place)… Would it be possible to add an option to the GUI so that you can specify a URL for the access denied page rather than having the user supply the HTML page content?
-
Would it be possible to add an option to the GUI so that you can specify a URL for the access denied page rather than having the user supply the HTML page content?
vote +1
or even better, for me at least, the option to either specify the content or an override URL ?
-
or even better, for me at least, the option to either specify the content or an override URL ?
The way to specify the content isn't already there? ???
-
The way to specify the content isn't already there?
Yes, it is there but RJCrowder is suggesting specifying a URL instead (or that's how I read it)
Would it be possible to add an option to the GUI so that you can specify a URL for the access denied page rather than having the user supply the HTML page content?
I'm merely asking to have both which could be achieved quite easily by allowing the reporting level and a redirect URL to be exposed through the GUI. Dansguardian will use the local HTML when the reporting level is 3 and the redirect URL when it is at levels 1 or 2.
-
Think I may have tracked down why Dans doesn't start properly on bootup (on my setup)
I get this error:
php: : The command '/usr/local/sbin/squid -k reconfigure' returned exit code '1', the output was '2012/04/25 10:17:58| WARNING: '192.168.0.0/255.255.255.0' is a subnetwork of '192.168.0.0/255.255.255.0' 2012/04/25 10:17:58| WARNING: because of this '192.168.0.0/255.255.255.0' is ignored to keep splay tree searching predictable 2012/04/25 10:17:58| WARNING: You should probably remove '192.168.0.0/255.255.255.0' from the ACL named 'localnet' squid: ERROR: No running copy'On my squid setup I have chosen to select LAN + loopback, so that the children go through the 8080 dans proxy and my machine uses 3128 (for caching purposes)
Is it possible that this is causing the error and not allowing dans to start automatically.Still starts when I go in and press start.
Or am I just completely barking up the wrong tree…. ::)
Thanks
Chris -
Just another quick note on something that needs to be done… it appears that DG log rotation is not setup. You can enable the "logrotation" script in /usr/local/share/dansguardian/scripts/. To get it working, do the following.
1. Edit /usr/local/share/dansguardian/scripts/logrotation and change
LOG_DIR=/var/log/ to
LOG_DIR=/var/log/dansguardian
2. Make the file executable
chmod +x /usr/local/share/dansguardian/scripts/logrotation
3. Add it to your list of scheduled tasks in cron so that it executes once a week. To do so, I installed the "cron" package and added an entry as follows (executes at 2:30am on Saturday):
30 2 sat root /usr/local/share/dansguardian/scripts/logrotationHope this helps...
-
Just another quick note on something that needs to be done… it appears that DG log rotation is not setup. You can enable the "logrotation" script in /usr/local/share/dansguardian/scripts/.
Thanks for these steps, I'll take a look and implement when time permits.
-
I've just pushed some fixes do improve dansguardian boot process and checks.
On my tests, dansguardian startup time during boot process reduced to 20 seconds.
Wait 15 minutes, reinstall the package, apply config and reboot.
-
Firstly - Thanks Marcello that's excellent news. Can I just clarify that where you say "apply config and reboot" do you mean manually apply the config or restore from a saved xml config ? Would that work ? (Just saves me some time if it does).
Secondly and totally unconnected here's a strange one for Netflix users.
I recently re-installed my windows system onto a new SSD and subsequently my Netflix gave a Silverlight N8152 DRM error when starting. I tried every suggested fix I could find for what is apparently a fairly common error all to no avail. The solution I found that worked for me was to disable the Dansguardian redirect rule, start Netflix, watch a moment of some content then stop Netflix and re-enable the redirect rule for DG, no more DRM N8152 Silverlight problem…..
I have no idea why, but it worked for me.
-
Firstly - Thanks Marcello that's excellent news. Can I just clarify that where you say "apply config and reboot" do you mean manually apply the config or restore from a saved xml config ? Would that work ? (Just saves me some time if it does).
Reinstall the package, go on dansguardian gui, manually apply the config. If you whant to test boot process, reboot after apply config.
-
Hello All
Many thanks to the author of the Dansguardian-Package. This is a very usefull function added to pfSense.
I found a what appears to be a bug in the handling of the Dansguardian Package configuration on pfSense 2.
Setup:
pfSense 2.0.1-release
Dansguardian Package (2.12.0.0 pkg; v.0.1.5.3)
squid Package (2.7.9 pkg v.4.3.1)The Problem:
If I set on the configuration page of Dansguardian (>Services>Dansguardian>Daemon) the Proxi-IP to 127.0.0.1 and leave the value for the Proxy-Port empty (for the default) in the config file of Dansguardian (/usr/local/etc/dansguardian/dansguardian.conf) the value 127.0.0.1 will be written for the proxy-port entry (proxyport = 127.0.0.1).My Solution:
Manually set the value of the proxyport setting in /usr/local/etc/dansguardian/dansguardian.conf
(In the pfSense-webgui for example by browsing to the config-file via >Diagnostics>Edit File).Regards
Roman -
@rs:
The Problem:
If I set on the configuration page of Dansguardian (>Services>Dansguardian>Daemon) the Proxi-IP to 127.0.0.1 and leave the value for the Proxy-Port empty (for the default) in the config file of Dansguardian (/usr/local/etc/dansguardian/dansguardian.conf) the value 127.0.0.1 will be written for the proxy-port entry (proxyport = 127.0.0.1).My Solution:
Manually set the value of the proxyport setting in /usr/local/etc/dansguardian/dansguardian.confWhy not just fill proxy port fied? ???
-
Why not just fill proxy port fied? ???
Yes, this works, and is of course a better solution. I just not have tried it until now.
-
Hi All,
Where I could find exceptioniplist on the menu. It seems I can't find it.
Regards,
Rocel
