Dansguardian unusable
-
ok…got everything setup, i made an initial mistake on making the alias, forgot to make it a url 'table', got that straightened out, but the override function doesnt work. The access denied page opens, then I submit a username/password and it just bounces back to the access denied page again...
i found the override script, and running it manually works perfect:
/usr/local/dgbypass(45): ./dgbypass 10.0.9.11 john match.com 1 addresses added.
The alias table then has my ip 10.0.9.11 in it, and I can browse 100% unfiltered.
i verified my username/pass are in /usr/local/dgbypass/passwords.txt, i cleared everything out of this file except the user:
[2.1-RELEASE][root@router2.localdomain]/usr/local/dgbypass(11): cat passwords.txt john 123
it seems the accessdenied.php page is not properly calling the dgbypass script, and I am not having much luck debugging the php.
-
OK… if it is just bouncing back to the accessdenied.php page, then it is not validating your id/password combination. If you enter valid id/password it goes to a "proceed" page (see attached). Note... the "proceed" page is in the same php file.
Try your pfsense admin id/password first (it gets it from config.xml) and see if that works. If the php cannot find it that way, then it goes to passwords.txt and looks for a userid/password there...
![Screenshot from 2013-11-10 15:58:15.png](/public/imported_attachments/1/Screenshot from 2013-11-10 15:58:15.png)
![Screenshot from 2013-11-10 15:58:15.png_thumb](/public/imported_attachments/1/Screenshot from 2013-11-10 15:58:15.png_thumb) -
btw…
The code to check config.xml starts at line 186 of the accessdenied.php.
The code to check "passwords.txt" starts at line 197
The code to execute dgbypass starts at line 217 -
Yes, I read through all your php, I can decipher it all, but I am just worthless at modifying or validating it, I saw that several functions/pages are in that one.
Using the pfsense admin login does not work either, I even made a 2nd pfsense admin account, dont work…any more ideas?
-
The attached version writes a bunch of log statements to /var/log/dgbypass/accessdenied.log. Can you copy it into /usr/local/www/dgbypass and let me know what is written to the log?
BTW… be sure to change the IP address in the php (192.168.4.1) to the address of your pfsense server...
-
was on the road all day… here is what i got:
cat /var/log/dgbypass/accessdenied.log [11-Nov-2013 21:04:55 America/Los_Angeles] Starting [11-Nov-2013 21:04:55 America/Los_Angeles] clientip [10.0.9.11] [11-Nov-2013 21:04:55 America/Los_Angeles] url2 [DENIEDURL==http%3a%2f%2fmatch%2ecom::IP==10.0.9.11::USER==10.0.9.11::CATEGORIES==::GBYPASS==69555D8FAFA8A886D99A6227DDEA2FF41384232725::REASON==Banned%20site%3a%20match%2ecom] [11-Nov-2013 21:05:03 America/Los_Angeles] Checking ID/Password [11-Nov-2013 21:05:03 America/Los_Angeles] username [] [11-Nov-2013 21:05:03 America/Los_Angeles] passwd [] [11-Nov-2013 21:05:03 America/Los_Angeles] exec-1 [] [11-Nov-2013 21:05:03 America/Los_Angeles] ID/Password NOT found in config.xml [11-Nov-2013 21:05:03 America/Los_Angeles] ID/Password NOT found in passwords.txt [11-Nov-2013 21:05:03 America/Los_Angeles] Starting [11-Nov-2013 21:05:03 America/Los_Angeles] clientip [10.0.9.11] [11-Nov-2013 21:05:03 America/Los_Angeles] url2 [::DENIEDURL==http%3a%2f%2fmatch%2ecom::IP==10.0.9.11::USER==10.0.9.11::CATEGORIES==::GBYPASS==69555D8FAFA8A886D99A6227DDEA2FF41384232725::REASON==Banned%20site%3a%20match%2ecom]
Used this user/password:
cat /usr/local/dgbypass/passwords.txt john zxcv
-
ok… i figured it out, not sure why it was showing the accessdenied page at all... the default pfsense port 80>443 redirect rule was messing with it, i specified the bypass page on port 80, it would display for some reason, then choke when bypassing because i didnt specify https in the php code.
THANKS SO MUCH - this is excellent.
-
Glad you got it working…
Just in case you're interested, I've spent a lot of time trying to make pfSense the "ultimate home filtering solution". I've even gone so far as creating stripped down menu and rewritten a number of the screens in order to make it easier for a non-technical person to administer. My intention is to offer pre-configured cheap atom boxes for anyone interested in the uber home filtering solution (really as a ministry - not to make money).
Some features of the home filter box setup...
o Very simplified screens focused purely on:
- applying web access time restrictions
- administering the content filter
- removal of anything that could be confusing to the "non-technical"
o Screen to easily assign MAC addresses to "IP Group Aliases".
o Screen to apply time blocking schedules to IP Group Aliases
o Bypass feature for the content filter
o Interface to query/view the content filter logs (dglog2)Obviously, this setup is very limited in features intended for a specific purpose... but it is also very simple and difficult to "break". It assumes a very specific configuration (i.e. squid, dg, two interfaces of LAN/WAN, no VPN or traffic shaping, etc.) However, it's also easy to switch back to the default pfSense menu when necessary and turn on more features. I also have instructions and scripts that pretty much automate the setup...
Some of the more technical things that I've implemented "under the covers" that you might be interested in:
o The filter bypass (based on IP address not being redirected to the filter)
o Layer 3 checking (using ipfw) of mac/IP combinations to make sure no one "hijacks" an unfiltered IP address
o DNS entries to force non-SSL google search (so it can be content filtered)
o Dynamic update of the addresses it resolves to for non-SSL search (in case they change)
o Implementation of dglog2.pl script for querying/reporting the content filter logs
o Block usage of any name servers other than OpenDNSAnyway... probably total overkill. Just thought you or others might be interested. I've included links to some screen shots.
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A23%3A12.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A23%3A22.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A23%3A41.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A24%3A21.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A24%3A38.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A24%3A56.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A25%3A09.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A25%3A26.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A25%3A35.png
https://dl.dropboxusercontent.com/u/55672566/Screenshot%20from%202013-11-12%2010%3A28%3A25.png -
That looks awesome… I definitely dont want to encroach on your potential business, but if you wished to offer it, I would be interested some of those ssl search redirect features you have setup.
Right now this thing does exactly what I was in dire need of with dg, I probably wouldnt use your gui setup, because there are some other features I use, but I wouldn't mind tinkering with the ssl redirect.
-
That looks awesome… I definitely dont want to encroach on your potential business, but if you wished to offer it, I would be interested some of those ssl search redirect features you have setup.
Right now this thing does exactly what I was in dire need of with dg, I probably wouldnt use your gui setup, because there are some other features I use, but I wouldn't mind tinkering with the ssl redirect.
That one is pretty simple…
1.) Create a directory /usr/local/update_dns_overrides
2.) Create a log directory - I use /var/log/update_dns_overrides
3.) Copy attached php file (minus .txt) into the directory
4.) Create the "host override" entries on the attached screenshot.
5.) Run the php script via cron on whatever timeframe you wantMy cron entry is:
/usr/local/bin/php -q /usr/local/update_dns_overrides/update_dns_overrides.php >> /var/log/update_dns_overrides/update_dns_overrides.logNote that this is a little bit of a hack. The script looks for the description starting with "ip=" and updates the override address to the address that URL following "=" resolves to...
Obviously, you wouldn't have to have my little update script - you could just create the entries. However, this covers you if the address for your override ever changes.
![Screenshot from 2013-11-12 12:00:07.png](/public/imported_attachments/1/Screenshot from 2013-11-12 12:00:07.png)
![Screenshot from 2013-11-12 12:00:07.png_thumb](/public/imported_attachments/1/Screenshot from 2013-11-12 12:00:07.png_thumb)
update_dns_overrides.php.txt -
great, thanks for the tip, I will check that out sometime soon…