Dansguardian package for 2.0

i have installed Dansguardian but its not showing up in services or anywhere else apart from installed packages. i am using latest pfsense. any idea? thanks

marcelloc · Aug 1, 2012, 2:12 PM

@jai23155:

any idea?

If its not on services-> dansguardian, try to reinstall it.

wheelz · Aug 15, 2012, 8:06 PM

I've had to drop this for a while (new baby and all) but I had someone asking about the SSO for dansguardian. Hopefully I'll be able to revisit it and provide a howto for everyone, though it may be a little while.

Marcelloc, did you ever get that patch from dansguardian working that would fix the bug about not being able to use multiple authplugins?

broncoBrad · Aug 20, 2012, 5:15 AM

So couple questions… the first being that I was told in this thread to install Squid2, but I don't see Squid2 I only see Squid3 but it says it's a beta version. Is there still a Squid2 available?

Next thought, I don't understand the configuration of using the proxy. From the last response, I assume there is no firewall rule needed for using the proxy, but is there anything else in pfsense besides the loopback address at port 3128 that I would need to set up? Where is the setup for that loopback on port 3128 done?

Another thought, again sorry for the newbie questions, is the proxy automatically run on ALL NICs of pfsense because it's the interface to the WAN yes? Is there any way I can select which NICs the proxy is run on?

Last thought, with the firewall rules: Normal access on the KIDS opt interface I have a single rule that says allow any from KIDS net to any. Would that rule still exist or do I need to change that rule to only allowing on port 8080 to use dansguardian correctly? Does that question make sense?

Thanks again in advance!

marcelloc · Aug 20, 2012, 4:18 PM

@wheelz:

Marcelloc, did you ever get that patch from dansguardian working that would fix the bug about not being able to use multiple authplugins?

Not yet, I've tried once without success. Next month maybe I'll have time to test it again.

peer_g · Aug 21, 2012, 7:02 PM

i have installed Dansguardian but its not showing up in services or anywhere else apart from installed packages. i am using latest pfsense. any idea? thanks

Sam error here. I already reinstalled the whole package (2.12.0.0 pkg v.0.1.5.4 ) and just reinstalled the gui components from package management. Still no luck!
I have also installed Squid (2.7.9 pkg v.4.3.1 ) and Sarg (2.3.2 pkg v.0.5 )

Any suggestions?

peer_g · Aug 22, 2012, 8:14 PM

Tried to completely reinstall pfsense from scratch, imported my config and reinstalled 1) squid and 2) dansguardian. Both installation run without errors - but still no menu entry from dansguardian.
Anyone can help us?

broncoBrad · Aug 28, 2012, 3:58 AM

Anybody? Any thoughts on my August 20th post?

Thanks!

rjcrowder · Aug 28, 2012, 12:07 PM

@broncoBrad:

So couple questions… the first being that I was told in this thread to install Squid2, but I don't see Squid2 I only see Squid3 but it says it's a beta version. Is there still a Squid2 available?

Squid version 2 should show on the list of packages to install. That said - either one will work.

@broncoBrad:

Next thought, I don't understand the configuration of using the proxy. From the last response, I assume there is no firewall rule needed for using the proxy, but is there anything else in pfsense besides the loopback address at port 3128 that I would need to set up? Where is the setup for that loopback on port 3128 done?

I'm not sure I understand your question. You select loopback and start Squid listening on port 3128. Then you configure Dansguardian to talk to squid using the loopback (127.0.0.1). You can also configure it to start on the LAN interface and then use the IP address of your pfsense firewall

@broncoBrad:

Another thought, again sorry for the newbie questions, is the proxy automatically run on ALL NICs of pfsense because it's the interface to the WAN yes? Is there any way I can select which NICs the proxy is run on?

Last thought, with the firewall rules: Normal access on the KIDS opt interface I have a single rule that says allow any from KIDS net to any. Would that rule still exist or do I need to change that rule to only allowing on port 8080 to use dansguardian correctly? Does that question make sense?

Again… not certain what you are asking. What I've done (for a non-transparent setup) is to block all internal addresses outbound. Then I configure all internal clients to use a proxy. This can be done either using an automatic Proxy PAC file or by setting it in the proxy settings of the browser. The easiest way to start testing it is to config the browser to use a proxy with IP address of your firewall and port 8080.

karmstrong · Aug 28, 2012, 1:01 PM

@peer_g:

Tried to completely reinstall pfsense from scratch, imported my config and reinstalled 1) squid and 2) dansguardian. Both installation run without errors - but still no menu entry from dansguardian.
Anyone can help us?

I ran into the same problem myself this morning. I resolved it by just going to my installed packages menu and clicking the button to reinstall Dansguardian. Then it showed up in my menu.

broncoBrad · Aug 28, 2012, 9:42 PM

Thanks rj for your response. Things will probably make more sense to me once I start setting things up. My concern is trying to install both the proxy (Squid) and the content filtering (Dansguardian) and not having either work. So I would like to get the proxy set up and working first, then after I know that is working then get the content filtering up.

My question about the proxy on all NICs has to do with things like game consoles or satellite STBs not working well with proxies. I assume for PCs when using internet browsers most would chose automatically detect proxy settings and that would work. What about other programs such as apps on a cell phone that may not like being behind a proxy?

In attempt to clarify my questions from my August 20th post here goes (sorry for being a newbie):

#1 For the Squid proxy to work do you have to set up a firewall rule on each NIC to pass traffic to the loopback 3128 port? I ask because for Dansguardian a firewall rule must be created yes?

#2 So you first set up the proxy on port 3128, then Dansguardian is set up on 8080. If browser have automatically detect proxy settings is it going to pass through both 8080 and then 3128?

#3 Is the loopback address per NIC? So like if I have multiple NICs I would have to enable squid on each loopback address port 3128 yes?

rjcrowder · Aug 29, 2012, 1:28 AM

Your approach is fine, but you can install both and just not turn on dans until you're ready. As far as auto detection of the proxy, you need to setup the PAC file along with some other stuff in DNS or DHCP to make it work. You can search the forums for instructions.

Your point on problems through proxies is legitimate as well. I have a range reserved (192.168.5.200/29) that is allowed to directly access the internet without going through dans and the proxy. Let me try to address your other questions…

#1. You do not need to create any firewall rules to get dans or the proxy working. You will need to create a NAT rule if you want to transparently proxy (i.e. do it without setting the proxy in the browser).
#2. The browser will point to 8080 only. Dans passes to squid (3128) based on its config. If you want to test just squid - then set the browser proxy to 3128.
#3. I don't know the answer to this question... sorry.

rjcrowder · Sep 17, 2012, 1:16 PM

This last weekend I setup a new pfsense GUI user. Just wondering if there is a way to disable the Dansguardian menu for the new user…

In other words, I did the following:
1.) setup a group with specific rights - didn't give it anything specific to dansguardian (actually didn't see anything on the list).
2.) created a users and assigned it to the above group

When I login with the new user it appears that the group assignment worked correctly (i.e. user does not have GUI rights that it should not). However Dans is still accessible and active from the menu. Did I miss something? Is there any way to remove the Dansguardian menu from certain users?

marcelloc · Sep 17, 2012, 2:39 PM

On 2.1 yes. I did not include the permission file yet.

On 2.0.1 you can deny access to all xml file using postfix permissions file.

download http://www.pfsense.org/packages/config/postfix/postfix.priv.inc to /etc/inc/priv to have "WebCfg - Services: All xml pages (config)." listed on user permissions.

rjcrowder · Sep 30, 2012, 3:29 AM

@namek:

@marcello,

I had a question - What is the significance/use of the "Anti-virus" TAB on the access lists in Dansguardian?
What does it do?
And the other - found a typo that you can fix the next time you update the package (Services->Dansguardian -> Access Lists -> "Phase", which I suppose should be Phrase..

UPDATE - I believe this only needs to be fixed at /usr/local/pkg/dansguardian_antivirus_acl.xml, rest of the xml files have the correct spelling.

Dans will do virus scanning using clamav. This tab makes changes to the files that control what it scans.

emjhay · Nov 21, 2012, 4:26 AM

We just had a problem with our setup, we have pfsense 2.0.1, multi-wan and dansguardian (including all per-requisite like squid). The problem is if the listening interface is on LAN all client computers will go to the gateway1 (WAN1). What we want is to be able to shift between gateway1 (WAN1) and gateway2 (WAN2/OPT1) on selected computers without interrupting the site filtering or blocking. Is there any possible solution for this problem? Just correct me if I posted it in the wrong thread…

marcelloc · Nov 21, 2012, 1:06 PM

@emjhay:

What we want is to be able to shift between gateway1 (WAN1) and gateway2 (WAN2/OPT1) on selected computers without interrupting the site filtering or blocking. Is there any possible solution for this ?

You will need one proxy for each LAN and another pfsense to balance/failover proxy access.