Dansguardian package for 2.0

Downloadski

Ok, where to find them ?

I cannot run 2.03, as my pc does noet bootup with that so i need to run 2.1

rjcrowder

@Downloadski:

This fails execution:

/usr/pbi/dansguardian-amd64/share/dansguardian/scripts(108): dansguardian
Error opening/creating log file. (check ownership and access rights).
I am running as nobody and I am trying to open /var/log//access.log

here i get stuck, as i am on the console and the main/root user i think ?

I got this error once when all of the user rights were correct, but I had dropped "execute" privileges on one of the directories in the path.

Also… the proper install order is Dansguardian - then Squid 3.

Legion

I've been getting "Error connecting via IPC socket to log: Connection refused" messages for as long as I can remember. Once I restart dg it goes away. A Google search found this:

http://www.uno-code.com/?q=node/141

I checked and your dansguardian.conf does the same thing - creates IPC files in /tmp, which I presume is cleaned out by pfsense each day. Can you expose these file paths in the GUI marcelloc? Or modify the conf file writeout and put them in a dg subdirectory like other DG files (e.g. access.log)

ZGruk

Where are the actual config files for dansguardian located? I've noticed when I change them in the GUI (ACL -> Site Lists for example) they don't change in the files on the machine (in /usr/local/dansguardian/lists/bannedsitelist for example). And conversely, editing bannedsitelist using vi doesn't actually block any sites. I assume there are actual files somewhere on the machine that are getting changed when I change it in the GUI, but I haven't been able to find them.

rjcrowder

@ZGruk:

Where are the actual config files for dansguardian located? I've noticed when I change them in the GUI (ACL -> Site Lists for example) they don't change in the files on the machine (in /usr/local/dansguardian/lists/bannedsitelist for example). And conversely, editing bannedsitelist using vi doesn't actually block any sites. I assume there are actual files somewhere on the machine that are getting changed when I change it in the GUI, but I haven't been able to find them.

/usr/local/etc/dansguardian
/usr/local/etc/dansguardian/lists

The config gets written to the config.xml file (see /conf/config.xml) and then propogated to the appropriate files in the config directories. If you change the files manually, it will be overwritten by what is in the config.xml when you save on the GUI or when you reboot. Confusing part about the config.xml file is that the XML element values are often encoded - so you can't really read it if you just bring the file up in VI.

Gian

Hi, first post here on pfsense forum. I'm a newbie in pfsense, only one week using it, and I have a question.
I've installed dansguardian 2.12.0.3 on pfsense 2.1-RELEASE (amd64), and update the blacklist with shalla's list.
Everything is working fine, but the categories in the Exception part of the Site Lists ACLs are greyed out, there is no categories on the list. The Banned portion of the Site Lists ACLs shows all the categories. Theres something that I'm missing?

Thanks!

Edit:

I've found the problem. In blacklist options, i've selected only to list the categories on the Banned section, and I should have selected to show the list in the section banned and exception.

wheelz

When using multiple auth mechanisms, how to do specify the order?  For example, I have authentication working with AD but there are also phone and other non-computer devices I need to authenticate via IP.

If I select both of those, it puts the IP auth line in the config file first so it tries that first.  It will "always" see the IP in my case so it will never use the AD authentication (NTLM).  I can manually change the conf file but then it gets overwritten on the next save (and seems to mess up XMLRPC Sync).

It would be nice to have a way in the GUI to change the order but for now I only really need to know what file I can edit to change the default order that gets written.  Does anyone know where I can change this?

Thanks!

marcelloc

@wheelz:

for now I only really need to know what file I can edit to change the default order that gets written.  Does anyone know where I can change this?

dansguardian_config.xml

change the order that I check the selected item.

dansguardian.inc code that check auth_plugin

$authplugin=(preg_match('/usr/',$dansguardian_config['auth_plugin'])?"authplugin = '".$dansguardian_config['auth_plugin']."'":"");
        if ($dansguardian_config['auth_plugin']!=""){
                $auth_plugins=explode(",",$dansguardian_config['auth_plugin']);
                $authplugin="";
                foreach ($auth_plugins as $auth_selected)
                        if ($auth_selected != "none")
                                $authplugin.="authplugin = '".preg_replace("@/usr/local@",DANSGUARDIAN_DIR,$auth_selected)."'\n";
        }

wheelz

That worked, or at least it switched the order in the conf file.  According to this:

http://contentfilter.futuragts.com/wiki/doku.php?id=more_than_one_auth_method&DokuWiki=gvhxljbpcoxc (all the way at the bottom #3)

you may just want to change the default order to have IP always on top as it seems like it should always come before other auth methods when multiple auth methods are used.

I'm still messing with DG though, trying to get the multiple auths working the way I need.  Isn't doing the IP auth first now for some reason…  I'll keep trying.

wheelz

marcelloc,

I guess the multiple auth not working for IP is a known issue:

http://sourceforge.net/p/dansguardian/patches/15/

There is a link on that page that points to a French site that says it is fixed in a later version:

http://numsys.eu/search.php?search=Dansguardian

Looks like it is up to 2.12.0.7?  The package for pfsense shows 2.12.0.3, but I did download one of your binary fixes.  When I run it with a -v, it shows 2.12.0.0…  ???  Now I am confused, I thought your binary was newer.

Is there any plans to update the package to 2.12.0.7 or is it possible to get an updated binary that fixes this bug?

Thanks for all your great contributions!

marcelloc

Test with one of dansguardian versions from my repo. I've testing a lot of patches on dansguardian few months ago.

wheelz

@marcelloc:

Test with one of dansguardian versions from my repo. I've testing a lot of patches on dansguardian few months ago.

I found this:

dansguardian 2013-Feb-08 02:07:07 970.9K

under http://e-sac.siteseguro.ws/pfsense/8/amd64/ but I think that is the one I've already downloaded.  I looked around but didn't see any other binaries.  Where are the binaries you were testing with?

marcelloc

e-sac.siteseguro.ws/packages

wheelz

I used the latest file:

dansguardian-2.12.0.3_7.tbz 2013-Aug-20 14:47:20 536.4K

and multi-auth with IP is working.  I'll watch for other issues and thanks!

Guest

For using dansgaurdian, you should add a port forward rule.
It's far better to add a feature for specifying  dansguardian acls in  firewall rules. (like  traffic shaping policy)

wheelz

It looks like I found an issue.  Once multiple people are pushing traffic through the filter, it will frequently (usually at least once a day, sometimes more) crash the system.  I've attached a screen shot of the console when it happens and also one of top when it is happening.  Sometimes I can log in and restart the DG service to fix it.  Other times I can't even SSH in or get to the local console so I have to hard reboot it.  Is this something you have seen?  There seems to be a large number of DG processes running at the time.  I'm not sure if that is normal or not.

Also I noticed that there is a 3.3.10 version available to update.  What version of DG is that and what were the changes?  I'm still running with the hacked in 2.12.0.3_7 binary for multi-auth to work.

Guest

When i use dansguardian with a port forward rule(http to 8080), it occasionally doesn't work and i need to restart daemon.
I think that pfsense developers should integrate it with firewall rules. therefore, a user can select content filter policy in it's access rule( like fortigate and other products).

wheelz

@wheelz:

It looks like I found an issue.  Once multiple people are pushing traffic through the filter, it will frequently (usually at least once a day, sometimes more) crash the system.  I've attached a screen shot of the console when it happens and also one of top when it is happening.  Sometimes I can log in and restart the DG service to fix it.  Other times I can't even SSH in or get to the local console so I have to hard reboot it.  Is this something you have seen?  There seems to be a large number of DG processes running at the time.  I'm not sure if that is normal or not.

Also I noticed that there is a 3.3.10 version available to update.  What version of DG is that and what were the changes?  I'm still running with the hacked in 2.12.0.3_7 binary for multi-auth to work.

I think I may have resolved this.  It has gone several days now without a crash.  On the web page for the updated binary they mentioned increasing some of the daemon settings.  So here are the changes I made:

Min/Max Children:  8/8176
Min/Max Spare Children:  8/64
Prefork Children:  10
Max Age Children:  10000

I think the max children may only work if you have this updated binary but that seems to have solved my crashing problems (in case anyone else runs into this).

sgirard

I recently upgraded to pfSense 2.1 and am having trouble with the DansGuardian package.

I noticed that the "Denied Access" page was not rendering the correct html from the Report File text box under the Report and Log tab.

It appears the DansGuardian package 2.12.0.3  v.0.1.8 on my system is writing the Report File html to this location:
/usr/local/share/dansguardian/languages/ukenglish/template.html

But on pfSense 2.1, the DansGuardian package is using this location for the Access Denied html:
/usr/pbi/dansguardian-amd64/share/dansguardian/languages/ukenglish/template.html

bryan.paradis recommended that I create a symlink to the file managed by the web gui:
https://forum.pfsense.org/index.php/topic,73058.msg398551.html#msg398551

It seems to me that a reinstall of Dans Guardian will overwrite the symlink. I also have concerns that changes to my ACLs may not be working correctly, but I have not completed extensive testing yet.

Is this issue something you are already aware of, or could it be unique to my system? The system is a Netgate 7451 upgraded to 2.1-RELEASE (amd64) using the web interface for Firmware Update.

bryan.paradis

Hey marcelloc,

Looks like here you pass the dansguardian_dir to $dg_dir when creating dansguardianfx.conf.

#dansguardian.inc
$dg_dir=DANSGUARDIAN_DIR;
		include("/usr/local/pkg/dansguardianfx.conf.template");
		file_put_contents($dansguardian_dir."/dansguardianf".$count.".conf", $dgf, LOCK_EX);

#dansguardian.conf.template
languagedir = '{$dg_dir}/share/dansguardian/languages'

# language to use from languagedir.
language = '{$reportlanguage}'

This will reference the pbi directory but in the php code below as you can see it isn't referencing the dansguardian_dir thus not referencing the pbi folder which is being set as the path in the conf file.

#log report
	if ($dansguardian_log['report_file']=="" && file_exists("/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html")){
		$report_file=file_get_contents("/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html");
		$report_file=preg_replace('/<.*(html|head)>/','',$report_file);
		$config['installedpackages']['dansguardianlog']['config'][0]['report_file']=base64_encode($report_file);
		$dansguardian_log['report_file']=base64_encode($report_file);
		$load_samples++;

And

#dansguardian.inc
#Create report template
	if (is_dir("/usr/local/share/dansguardian/languages/".$reportlanguage)) 
		file_put_contents("/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html",dg_text_area_decode($dansguardian_log['report_file']),LOCK_EX);

dansguardian_dir needs to be appended to the front of the paths

Lines 927-928

if (is_dir(DANSGUARDIAN_DIR."/usr/local/share/dansguardian/languages/".$reportlanguage)) 
		file_put_contents(DANSGUARDIAN_DIR."/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html",dg_text_area_decode($dansguardian_log['report_file']),LOCK_EX);

Lines 694-695

#dansguardian.inc
	if ($dansguardian_log['report_file']=="" && file_exists(DANSGUARDIAN_DIR."/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html")){
		$report_file=file_get_contents(DANSGUARDIAN_DIR."/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html");

Update: Nevermind looks like they are already symlinked on a fresh install I am not sure why sgirard had a problem in the first place  :-X Though I suppose it could be cleaned up considering you are setting the path based on what pfversion is running already?

[2.1-RELEASE][root@pfsense.localdomain]/usr/local/share/dansguardian/languages/ukenglish(15): ls -la
total 3
drwxr-xr-x   2 root  wheel   512 Feb 25 06:45 .
drwxr-xr-x  29 root  wheel  1024 Feb 25 06:45 ..
lrwxr-xr-x   1 root  wheel    87 Feb 25 06:45 fancydmtemplate.html -> /usr/pbi/dansguardian-amd64/share/dansguardian/languages/ukenglish/fancydmtemplate.html
lrwxr-xr-x   1 root  wheel    75 Feb 25 06:45 messages -> /usr/pbi/dansguardian-amd64/share/dansguardian/languages/ukenglish/messages
lrwxr-xr-x   1 root  wheel    80 Feb 25 06:45 template.html -> /usr/pbi/dansguardian-amd64/share/dansguardian/languages/ukenglish/template.html