Dansguardian package for 2.0

wheelz

Now with the new squid package I'm looking to try to get dansguardian filtering HTTPS traffic as well.  I have the CA cert and I created a test server cert and enabled ssl filtering.  Do I need to get the latest from your repo first?  When I try to access HTTPS through I get:

Secure Connection Failed

An error occurred during a connection to www.google.com.

Improperly formatted time string.

(Error code: sec_error_invalid_time)

marcelloc

@Legion:

marcelloc, I mentioned once before that DG fills up my cron table with fetch_blacklist entries:

Try a package reinstall and then a save config.

I've fixed the cron problem but did not bumped the version.

marcelloc

@wheelz:

(Error code: sec_error_invalid_time)

Yes, it's fixed on dansguardian from my repo. But I think there are still other problems with dansguardian mitm.

try latest version and see if it's working on your setup.

Downloadski

I am new to pfsense and freebsd so i could be making user errors..

I have installed pfsense 2.1 (2.1-RC0  (amd64)  built on Mon Jun 24 04:05:41 EDT 2013 FreeBSD 8.3-RELEASE-p8)

I would like to get dansguardian to work.

After reading multiple topics, i first installed suid3 (3.1.20 pkg 2.0.6) from the packages menu.
This seems to work ok, as i can see in the real time proxy monitor the sites i browse.

When i install dansguardian from the packages menu i get the following errors in the log

Jun 25 09:46:37 php: /pkg_mgr_install.php: [Dansguardian] - Save settings package call pr: bp:1 rpc:no 
Jun 25 09:46:37 php: /pkg_mgr_install.php: Starting Dansguardian 
Jun 25 09:46:37 dansguardian[15691]: Error reading PICS file: /usr/pbi/dansguardian-amd64/etc/dansguardian/lists/g_Default 
Jun 25 09:46:37 dansguardian[15691]: Error opening filter group config: /usr/pbi/dansguardian-amd64/etc/dansguardian/dansguardianf1.conf 
Jun 25 09:46:37 dansguardian[15691]: Error reading filter group conf file(s). 
Jun 25 09:46:37 dansguardian[15691]: Error parsing the dansguardian.conf file or other DansGuardian configuration files 
Jun 25 09:46:37 root: /usr/local/etc/rc.d/dansguardian.sh: WARNING: failed to start dansguardian 
Jun 25 09:46:37 php: /pkg_mgr_install.php: The command '/usr/local/etc/rc.d/dansguardian.sh start' returned exit code '1', the output was 'kern.ipc.somaxconn: 16384 -> 16384 kern.maxfiles: 131072 -> 131072 kern.maxfilesperproc: 104856 -> 104856 kern.threads.max_threads_per_proc: 4096 -> 4096 Starting dansguardian. Error reading PICS file: /usr/pbi/dansguardian-amd64/etc/dansguardian/lists/g_Default Error opening filter group config: /usr/pbi/dansguardian-amd64/etc/dansguardian/dansguardianf1.conf Error reading filter group conf file(s). Error parsing the dansguardian.conf file or other DansGuardian configuration files /usr/local/etc/rc.d/dansguardian.sh: WARNING: failed to start dansguardian' 

So it seems there are items missing there.
Also when i look under services, dansguardian is stopped.

I tried to install marcelloc his latest version: pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/dansguardian-2.12.0.6.tbz
But this finishes very fast and i think it is only downloaded and not installed.

[2.1-RC0][admin@pfsense.localdomain]/var/log(69): pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/dansguardian-2.12.0.6.tbz
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/dansguardian-2.12.0.6.tbz... Done.

===>   Please Note:

*******************************************************************************
       This port has created a log file named dansguardian.log that can get
       quite large.  Please read the newsyslog(8) man page for instructions
       on configuring log rotation and compression.

       WITH_CLAMAV, WITH_ICAP, WITH_KASP, WITH_NTLM are all experimental
       options that I am not currently able to test.  Let me know how these
       work (or not) for you.  (Patches always welcome.)
*******************************************************************************

[2.1-RC0][admin@pfsense.localdomain]/var/log(70):

I tried this with the 2.12.0.3 pkg v.0.1.8 from the packages menu installed, and also when i remove that. Same results.

as for my network:
I have a intel 2 port PCI-E card and a trunk to a cisco 200-8 managed switch.
There are 4 vlans and i want to use dansguardian only in 1 vlan.

So i have a native (untagged) vlan 1, and than i have vlan 2,3,4 (tagged)

I do not have a wan connection yet, but made a static GW rule via vlan 2 to the outside world on the existing network.
This is the default route.

So i have basic routing from the vlan3 to the outside world working ok.
I have squid working i think. (i have fast internet, so the caching i do not notice, but i see entrys in the proxy monitor)

MY system should have plenty resources:

running from a 64 GB SSD (not completely used)

[2.1-RC0][admin@pfsense.localdomain]/var/log(80):    df
Filesystem  1K-blocks   Used   Avail Capacity  Mounted on
/dev/ad4s1a   8121926 825832 6646340    11%    /
devfs               1      1       0   100%    /dev
/dev/md0         3694     52    3348     2%    /var/run
devfs               1      1       0   100%    /var/dhcpd/dev

memory:

2.1-RC0][admin@pfsense.localdomain]/var/log(81): dmesg | grep memory
real memory  = 17179869184 (16384 MB)
avail memory = 16442249216 (15680 MB)

cpu:

[2.1-RC0][admin@pfsense.localdomain]/var/log(82): dmesg | grep CPU
CPU: Intel(R) Celeron(R) CPU 847 @ 1.10GHz (1097.51-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0: <acpi cpu="">on acpi0
cpu1: <acpi cpu="">on acpi0
p4tcc0: <cpu frequency="" thermal="" control="">on cpu0
p4tcc1: <cpu frequency="" thermal="" control="">on cpu1
SMP: AP CPU #1 Launched!</cpu></cpu></acpi></acpi> 

Now my question:

• how do i see if i do a: pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/dansguardian-2.12.0.6.tbz what happens, and what do i need to do. 
  I can read and see:

This port has been converted to the new RC framework and should work
      correctly via rcorder.  Please read the comments in the startup script
      for instructions on enabling the daemon.

i can look for all dansguardian filename's witha simple: find / -name dansguardian

/usr/local/sbin/dansguardian
/usr/local/etc/rc.d/dansguardian
/usr/local/etc/dansguardian
/usr/local/share/doc/dansguardian
/usr/local/share/dansguardian
/usr/local/share/dansguardian/scripts/dansguardian
/usr/pbi/dansguardian-amd64/etc/rc.d/dansguardian
/usr/pbi/dansguardian-amd64/etc/dansguardian
/usr/pbi/dansguardian-amd64/sbin/dansguardian
/usr/pbi/dansguardian-amd64/share/dansguardian
/usr/pbi/dansguardian-amd64/share/dansguardian/scripts/dansguardian
/usr/pbi/dansguardian-amd64/.sbin/dansguardian
/var/log/dansguardian

in the scripts directory i see a script :)

This fails execution:

/usr/pbi/dansguardian-amd64/share/dansguardian/scripts(108): dansguardian
Error opening/creating log file. (check ownership and access rights).
I am running as nobody and I am trying to open /var/log//access.log

here i get stuck, as i am on the console and the main/root user i think ?

marcelloc

Tbz packages are for pfsense 2.0.x. 2.1 it needs pbi packages..

Downloadski

Ok, where to find them ?

I cannot run 2.03, as my pc does noet bootup with that so i need to run 2.1

rjcrowder

@Downloadski:

This fails execution:

/usr/pbi/dansguardian-amd64/share/dansguardian/scripts(108): dansguardian
Error opening/creating log file. (check ownership and access rights).
I am running as nobody and I am trying to open /var/log//access.log

here i get stuck, as i am on the console and the main/root user i think ?

I got this error once when all of the user rights were correct, but I had dropped "execute" privileges on one of the directories in the path.

Also… the proper install order is Dansguardian - then Squid 3.

Legion

I've been getting "Error connecting via IPC socket to log: Connection refused" messages for as long as I can remember. Once I restart dg it goes away. A Google search found this:

http://www.uno-code.com/?q=node/141

I checked and your dansguardian.conf does the same thing - creates IPC files in /tmp, which I presume is cleaned out by pfsense each day. Can you expose these file paths in the GUI marcelloc? Or modify the conf file writeout and put them in a dg subdirectory like other DG files (e.g. access.log)

ZGruk

Where are the actual config files for dansguardian located? I've noticed when I change them in the GUI (ACL -> Site Lists for example) they don't change in the files on the machine (in /usr/local/dansguardian/lists/bannedsitelist for example). And conversely, editing bannedsitelist using vi doesn't actually block any sites. I assume there are actual files somewhere on the machine that are getting changed when I change it in the GUI, but I haven't been able to find them.

rjcrowder

@ZGruk:

Where are the actual config files for dansguardian located? I've noticed when I change them in the GUI (ACL -> Site Lists for example) they don't change in the files on the machine (in /usr/local/dansguardian/lists/bannedsitelist for example). And conversely, editing bannedsitelist using vi doesn't actually block any sites. I assume there are actual files somewhere on the machine that are getting changed when I change it in the GUI, but I haven't been able to find them.

/usr/local/etc/dansguardian
/usr/local/etc/dansguardian/lists

The config gets written to the config.xml file (see /conf/config.xml) and then propogated to the appropriate files in the config directories. If you change the files manually, it will be overwritten by what is in the config.xml when you save on the GUI or when you reboot. Confusing part about the config.xml file is that the XML element values are often encoded - so you can't really read it if you just bring the file up in VI.

Gian

Hi, first post here on pfsense forum. I'm a newbie in pfsense, only one week using it, and I have a question.
I've installed dansguardian 2.12.0.3 on pfsense 2.1-RELEASE (amd64), and update the blacklist with shalla's list.
Everything is working fine, but the categories in the Exception part of the Site Lists ACLs are greyed out, there is no categories on the list. The Banned portion of the Site Lists ACLs shows all the categories. Theres something that I'm missing?

Thanks!

Edit:

I've found the problem. In blacklist options, i've selected only to list the categories on the Banned section, and I should have selected to show the list in the section banned and exception.

wheelz

When using multiple auth mechanisms, how to do specify the order?  For example, I have authentication working with AD but there are also phone and other non-computer devices I need to authenticate via IP.

If I select both of those, it puts the IP auth line in the config file first so it tries that first.  It will "always" see the IP in my case so it will never use the AD authentication (NTLM).  I can manually change the conf file but then it gets overwritten on the next save (and seems to mess up XMLRPC Sync).

It would be nice to have a way in the GUI to change the order but for now I only really need to know what file I can edit to change the default order that gets written.  Does anyone know where I can change this?

Thanks!

marcelloc

@wheelz:

for now I only really need to know what file I can edit to change the default order that gets written.  Does anyone know where I can change this?

dansguardian_config.xml

change the order that I check the selected item.

dansguardian.inc code that check auth_plugin

$authplugin=(preg_match('/usr/',$dansguardian_config['auth_plugin'])?"authplugin = '".$dansguardian_config['auth_plugin']."'":"");
        if ($dansguardian_config['auth_plugin']!=""){
                $auth_plugins=explode(",",$dansguardian_config['auth_plugin']);
                $authplugin="";
                foreach ($auth_plugins as $auth_selected)
                        if ($auth_selected != "none")
                                $authplugin.="authplugin = '".preg_replace("@/usr/local@",DANSGUARDIAN_DIR,$auth_selected)."'\n";
        }

wheelz

That worked, or at least it switched the order in the conf file.  According to this:

http://contentfilter.futuragts.com/wiki/doku.php?id=more_than_one_auth_method&DokuWiki=gvhxljbpcoxc (all the way at the bottom #3)

you may just want to change the default order to have IP always on top as it seems like it should always come before other auth methods when multiple auth methods are used.

I'm still messing with DG though, trying to get the multiple auths working the way I need.  Isn't doing the IP auth first now for some reason…  I'll keep trying.

wheelz

marcelloc,

I guess the multiple auth not working for IP is a known issue:

http://sourceforge.net/p/dansguardian/patches/15/

There is a link on that page that points to a French site that says it is fixed in a later version:

http://numsys.eu/search.php?search=Dansguardian

Looks like it is up to 2.12.0.7?  The package for pfsense shows 2.12.0.3, but I did download one of your binary fixes.  When I run it with a -v, it shows 2.12.0.0…  ???  Now I am confused, I thought your binary was newer.

Is there any plans to update the package to 2.12.0.7 or is it possible to get an updated binary that fixes this bug?

Thanks for all your great contributions!

marcelloc

Test with one of dansguardian versions from my repo. I've testing a lot of patches on dansguardian few months ago.

wheelz

@marcelloc:

Test with one of dansguardian versions from my repo. I've testing a lot of patches on dansguardian few months ago.

I found this:

dansguardian 2013-Feb-08 02:07:07 970.9K

under http://e-sac.siteseguro.ws/pfsense/8/amd64/ but I think that is the one I've already downloaded.  I looked around but didn't see any other binaries.  Where are the binaries you were testing with?

marcelloc

e-sac.siteseguro.ws/packages

wheelz

I used the latest file:

dansguardian-2.12.0.3_7.tbz 2013-Aug-20 14:47:20 536.4K

and multi-auth with IP is working.  I'll watch for other issues and thanks!

Guest

For using dansgaurdian, you should add a port forward rule.
It's far better to add a feature for specifying  dansguardian acls in  firewall rules. (like  traffic shaping policy)