Dansguardian unusable
-
I would say high level intermediate… more familiar with red Hat based stuff than bsd, definitely not an expert there... but I already have vhosts installed, an alias prepped, and I suppose I will need to edit some cron jobs and other stuff...
give me the quick and dirty and will let you know if I miss anything.
-
OK… I'm gonna try this by just attaching some files and giving instructions. First of all, you don't actually need to install vHosts. I recently switched to using a directory under /usr/local/www and it works fine. So... here goes.
I've attached several files as follows (rename to remove the ".txt"):
dgbypass.tar.gz - should be untar'd in the directory /usr/local/. Will create /usr/local/dgbypass
dgbypass_www.tar.gz - should be untar'd in the directory /usr/local/www. Will create /usr/local/www/dgbypass
dansguardian.inc.patch - should be applied to dansguardian.inc
dansguardian_log.xml.patch - should be applied to dansguardian_log.xml
my_logrotation.tar.gz should be untar'd in the directory /usr/local. Will create /usr/local/my_logrotation (not required).
Two screenshots - one of the modified dansguardian log page and the other of the bypass page.Create a URL alias called "internal_unfiltered" and point it to the url "http://192.168.5.1/dgbypass/unfiltered" (change 192.168.5.1 to the address of your pfsense server). Note that I have one address range already in the file called unfiltered - it is a range that I assign to devices that should never be filtered (such as the ROKU's and the xBox). Address are added to the unfiltered file by the accessdenied.php page (it calls /usr/local/dgbypass/dgbypass) to be allowed to temporarily bypass the filter. They are tracked and removed by an entry in /usr/local/dgbypass/current_bypass.list.
I assume you already have a firewall rule that transparently redirects users to port 8080 (or whatever port you are using for dansguardian). In that rule, add a "not" source of your alias called "internal_unfiltered".
Edit the following files and change all reference to "192.168.5." to your domain (such as "192.168.1")
/usr/local/www/dgbypass/unfiltered
/usr/local/www/dgbypass/gold_unfiltered
/usr/local/www/dgbypass/accessdenied.php
/usr/local/dgbypass/Also, if you want to have a different range of addresses allowed to bypass DG all the time, then change the address range in /usr/local/www/dgbypass/unfiltered and /usr/local/dgbypass/gold_unfiltered.
Apply the patches to /usr/local/pkg/dansguardian.inc and /usr/local/pkg/dansguardian_log.xml (patch -N file_name < /patches/common/file_name.patch).
Now go into the dansguardian "report and log" page and setup the entries as they look in the attached screenshot. Of course, you'll need to change the IP address to be the IP of your machine.
Create a directory "/var/log/dgbypass"
Add a cron entry to check for removing the bypass addresses every 2 minutes (or more frequently if you want). The cron entry looks like this...
"*/2 * * * * root /usr/local/dgbypass/expire_bypass_ips >> /var/log/dgbypass/expire_bypass_ips.log". The easiest way to enter it is to just install the cron package.Believe that should do it! When you attempt to hit a blocked site, you should get the bypass page pictured in the last screenshot. The tar file for "my_logrotation" is optional - it's a shell script that I schedule via cron for rotating logs...
Note that I have all of the above steps automated via scripts and patches for any "fresh" install that I do... It would be easier if I could just pass that script to you, but it does way more than just the changes described above...
![Screenshot from 2013-11-09 19:51:40.png](/public/imported_attachments/1/Screenshot from 2013-11-09 19:51:40.png)
![Screenshot from 2013-11-09 19:51:40.png_thumb](/public/imported_attachments/1/Screenshot from 2013-11-09 19:51:40.png_thumb)
![Screenshot from 2013-11-09 19:53:22.png](/public/imported_attachments/1/Screenshot from 2013-11-09 19:53:22.png)
![Screenshot from 2013-11-09 19:53:22.png_thumb](/public/imported_attachments/1/Screenshot from 2013-11-09 19:53:22.png_thumb)
dgbypass.tar.gz.txt
dgbypass_www.tar.gz.txt
my_logrotation.tar.gz.txt
dansguardian.inc.patch.txt
dansguardian_log.xml.patch.txt -
Thanks so much…this looks like a piece of cake, will try it out later today.
-
Yea… let me know if I missed something. More than happy to help. Prob a little bit of a pain to setup, but once it is setup, you can just add/delete usernames and passwords on the report/log page (or just use admin/pfsense_password).
Like I said before, the big advantage is that you are completely bypassing DG with this approach...
-
ok…got everything setup, i made an initial mistake on making the alias, forgot to make it a url 'table', got that straightened out, but the override function doesnt work. The access denied page opens, then I submit a username/password and it just bounces back to the access denied page again...
i found the override script, and running it manually works perfect:
/usr/local/dgbypass(45): ./dgbypass 10.0.9.11 john match.com 1 addresses added.
The alias table then has my ip 10.0.9.11 in it, and I can browse 100% unfiltered.
i verified my username/pass are in /usr/local/dgbypass/passwords.txt, i cleared everything out of this file except the user:
[2.1-RELEASE][root@router2.localdomain]/usr/local/dgbypass(11): cat passwords.txt john 123
it seems the accessdenied.php page is not properly calling the dgbypass script, and I am not having much luck debugging the php.
-
OK… if it is just bouncing back to the accessdenied.php page, then it is not validating your id/password combination. If you enter valid id/password it goes to a "proceed" page (see attached). Note... the "proceed" page is in the same php file.
Try your pfsense admin id/password first (it gets it from config.xml) and see if that works. If the php cannot find it that way, then it goes to passwords.txt and looks for a userid/password there...
![Screenshot from 2013-11-10 15:58:15.png](/public/imported_attachments/1/Screenshot from 2013-11-10 15:58:15.png)
![Screenshot from 2013-11-10 15:58:15.png_thumb](/public/imported_attachments/1/Screenshot from 2013-11-10 15:58:15.png_thumb) -
btw…
The code to check config.xml starts at line 186 of the accessdenied.php.
The code to check "passwords.txt" starts at line 197
The code to execute dgbypass starts at line 217 -
Yes, I read through all your php, I can decipher it all, but I am just worthless at modifying or validating it, I saw that several functions/pages are in that one.
Using the pfsense admin login does not work either, I even made a 2nd pfsense admin account, dont work…any more ideas?
-
The attached version writes a bunch of log statements to /var/log/dgbypass/accessdenied.log. Can you copy it into /usr/local/www/dgbypass and let me know what is written to the log?
BTW… be sure to change the IP address in the php (192.168.4.1) to the address of your pfsense server...
-
was on the road all day… here is what i got:
cat /var/log/dgbypass/accessdenied.log [11-Nov-2013 21:04:55 America/Los_Angeles] Starting [11-Nov-2013 21:04:55 America/Los_Angeles] clientip [10.0.9.11] [11-Nov-2013 21:04:55 America/Los_Angeles] url2 [DENIEDURL==http%3a%2f%2fmatch%2ecom::IP==10.0.9.11::USER==10.0.9.11::CATEGORIES==::GBYPASS==69555D8FAFA8A886D99A6227DDEA2FF41384232725::REASON==Banned%20site%3a%20match%2ecom] [11-Nov-2013 21:05:03 America/Los_Angeles] Checking ID/Password [11-Nov-2013 21:05:03 America/Los_Angeles] username [] [11-Nov-2013 21:05:03 America/Los_Angeles] passwd [] [11-Nov-2013 21:05:03 America/Los_Angeles] exec-1 [] [11-Nov-2013 21:05:03 America/Los_Angeles] ID/Password NOT found in config.xml [11-Nov-2013 21:05:03 America/Los_Angeles] ID/Password NOT found in passwords.txt [11-Nov-2013 21:05:03 America/Los_Angeles] Starting [11-Nov-2013 21:05:03 America/Los_Angeles] clientip [10.0.9.11] [11-Nov-2013 21:05:03 America/Los_Angeles] url2 [::DENIEDURL==http%3a%2f%2fmatch%2ecom::IP==10.0.9.11::USER==10.0.9.11::CATEGORIES==::GBYPASS==69555D8FAFA8A886D99A6227DDEA2FF41384232725::REASON==Banned%20site%3a%20match%2ecom]
Used this user/password:
cat /usr/local/dgbypass/passwords.txt john zxcv
-
ok… i figured it out, not sure why it was showing the accessdenied page at all... the default pfsense port 80>443 redirect rule was messing with it, i specified the bypass page on port 80, it would display for some reason, then choke when bypassing because i didnt specify https in the php code.
THANKS SO MUCH - this is excellent.
-
Glad you got it working…
Just in case you're interested, I've spent a lot of time trying to make pfSense the "ultimate home filtering solution". I've even gone so far as creating stripped down menu and rewritten a number of the screens in order to make it easier for a non-technical person to administer. My intention is to offer pre-configured cheap atom boxes for anyone interested in the uber home filtering solution (really as a ministry - not to make money).
Some features of the home filter box setup...
o Very simplified screens focused purely on:
- applying web access time restrictions
- administering the content filter
- removal of anything that could be confusing to the "non-technical"
o Screen to easily assign MAC addresses to "IP Group Aliases".
o Screen to apply time blocking schedules to IP Group Aliases
o Bypass feature for the content filter
o Interface to query/view the content filter logs (dglog2)Obviously, this setup is very limited in features intended for a specific purpose... but it is also very simple and difficult to "break". It assumes a very specific configuration (i.e. squid, dg, two interfaces of LAN/WAN, no VPN or traffic shaping, etc.) However, it's also easy to switch back to the default pfSense menu when necessary and turn on more features. I also have instructions and scripts that pretty much automate the setup...
Some of the more technical things that I've implemented "under the covers" that you might be interested in:
o The filter bypass (based on IP address not being redirected to the filter)
o Layer 3 checking (using ipfw) of mac/IP combinations to make sure no one "hijacks" an unfiltered IP address
o DNS entries to force non-SSL google search (so it can be content filtered)
o Dynamic update of the addresses it resolves to for non-SSL search (in case they change)
o Implementation of dglog2.pl script for querying/reporting the content filter logs
o Block usage of any name servers other than OpenDNSAnyway... probably total overkill. Just thought you or others might be interested. I've included links to some screen shots.
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A23%3A12.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A23%3A22.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A23%3A41.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A24%3A21.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A24%3A38.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A24%3A56.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A25%3A09.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A25%3A26.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A25%3A35.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A28%3A25.png -
That looks awesome… I definitely dont want to encroach on your potential business, but if you wished to offer it, I would be interested some of those ssl search redirect features you have setup.
Right now this thing does exactly what I was in dire need of with dg, I probably wouldnt use your gui setup, because there are some other features I use, but I wouldn't mind tinkering with the ssl redirect.
-
That looks awesome… I definitely dont want to encroach on your potential business, but if you wished to offer it, I would be interested some of those ssl search redirect features you have setup.
Right now this thing does exactly what I was in dire need of with dg, I probably wouldnt use your gui setup, because there are some other features I use, but I wouldn't mind tinkering with the ssl redirect.
That one is pretty simple…
1.) Create a directory /usr/local/update_dns_overrides
2.) Create a log directory - I use /var/log/update_dns_overrides
3.) Copy attached php file (minus .txt) into the directory
4.) Create the "host override" entries on the attached screenshot.
5.) Run the php script via cron on whatever timeframe you wantMy cron entry is:
/usr/local/bin/php -q /usr/local/update_dns_overrides/update_dns_overrides.php >> /var/log/update_dns_overrides/update_dns_overrides.logNote that this is a little bit of a hack. The script looks for the description starting with "ip=" and updates the override address to the address that URL following "=" resolves to...
Obviously, you wouldn't have to have my little update script - you could just create the entries. However, this covers you if the address for your override ever changes.
![Screenshot from 2013-11-12 12:00:07.png](/public/imported_attachments/1/Screenshot from 2013-11-12 12:00:07.png)
![Screenshot from 2013-11-12 12:00:07.png_thumb](/public/imported_attachments/1/Screenshot from 2013-11-12 12:00:07.png_thumb)
update_dns_overrides.php.txt -
great, thanks for the tip, I will check that out sometime soon…