Dansguardian package for 2.0

wheelz · Nov 28, 2013, 1:23 AM

I used the latest file:

dansguardian-2.12.0.3_7.tbz 2013-Aug-20 14:47:20 536.4K

and multi-auth with IP is working. I'll watch for other issues and thanks!

Nov 30, 2013, 9:25 PM

For using dansgaurdian, you should add a port forward rule.
It's far better to add a feature for specifying dansguardian acls in firewall rules. (like traffic shaping policy)

wheelz · Dec 31, 2013, 3:57 PM

It looks like I found an issue. Once multiple people are pushing traffic through the filter, it will frequently (usually at least once a day, sometimes more) crash the system. I've attached a screen shot of the console when it happens and also one of top when it is happening. Sometimes I can log in and restart the DG service to fix it. Other times I can't even SSH in or get to the local console so I have to hard reboot it. Is this something you have seen? There seems to be a large number of DG processes running at the time. I'm not sure if that is normal or not.

Also I noticed that there is a 3.3.10 version available to update. What version of DG is that and what were the changes? I'm still running with the hacked in 2.12.0.3_7 binary for multi-auth to work.

Jan 1, 2014, 9:31 AM

When i use dansguardian with a port forward rule(http to 8080), it occasionally doesn't work and i need to restart daemon.
I think that pfsense developers should integrate it with firewall rules. therefore, a user can select content filter policy in it's access rule( like fortigate and other products).

wheelz · Jan 8, 2014, 1:57 PM

@wheelz:

It looks like I found an issue. Once multiple people are pushing traffic through the filter, it will frequently (usually at least once a day, sometimes more) crash the system. I've attached a screen shot of the console when it happens and also one of top when it is happening. Sometimes I can log in and restart the DG service to fix it. Other times I can't even SSH in or get to the local console so I have to hard reboot it. Is this something you have seen? There seems to be a large number of DG processes running at the time. I'm not sure if that is normal or not.

Also I noticed that there is a 3.3.10 version available to update. What version of DG is that and what were the changes? I'm still running with the hacked in 2.12.0.3_7 binary for multi-auth to work.

I think I may have resolved this. It has gone several days now without a crash. On the web page for the updated binary they mentioned increasing some of the daemon settings. So here are the changes I made:

Min/Max Children: 8/8176
Min/Max Spare Children: 8/64
Prefork Children: 10
Max Age Children: 10000

I think the max children may only work if you have this updated binary but that seems to have solved my crashing problems (in case anyone else runs into this).

sgirard · Feb 25, 2014, 3:11 AM

I recently upgraded to pfSense 2.1 and am having trouble with the DansGuardian package.

I noticed that the "Denied Access" page was not rendering the correct html from the Report File text box under the Report and Log tab.

It appears the DansGuardian package 2.12.0.3 v.0.1.8 on my system is writing the Report File html to this location:
/usr/local/share/dansguardian/languages/ukenglish/template.html

But on pfSense 2.1, the DansGuardian package is using this location for the Access Denied html:
/usr/pbi/dansguardian-amd64/share/dansguardian/languages/ukenglish/template.html

bryan.paradis recommended that I create a symlink to the file managed by the web gui:
https://forum.pfsense.org/index.php/topic,73058.msg398551.html#msg398551

It seems to me that a reinstall of Dans Guardian will overwrite the symlink. I also have concerns that changes to my ACLs may not be working correctly, but I have not completed extensive testing yet.

Is this issue something you are already aware of, or could it be unique to my system? The system is a Netgate 7451 upgraded to 2.1-RELEASE (amd64) using the web interface for Firmware Update.

bryan.paradis · Feb 25, 2014, 6:52 AM

Hey marcelloc,

Looks like here you pass the dansguardian_dir to $dg_dir when creating dansguardianfx.conf.


#dansguardian.inc
$dg_dir=DANSGUARDIAN_DIR;
		include("/usr/local/pkg/dansguardianfx.conf.template");
		file_put_contents($dansguardian_dir."/dansguardianf".$count.".conf", $dgf, LOCK_EX);


#dansguardian.conf.template
languagedir = '{$dg_dir}/share/dansguardian/languages'

# language to use from languagedir.
language = '{$reportlanguage}'

This will reference the pbi directory but in the php code below as you can see it isn't referencing the dansguardian_dir thus not referencing the pbi folder which is being set as the path in the conf file.


#log report
	if ($dansguardian_log['report_file']=="" && file_exists("/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html")){
		$report_file=file_get_contents("/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html");
		$report_file=preg_replace('/<.*(html|head)>/','',$report_file);
		$config['installedpackages']['dansguardianlog']['config'][0]['report_file']=base64_encode($report_file);
		$dansguardian_log['report_file']=base64_encode($report_file);
		$load_samples++;

And


#dansguardian.inc
#Create report template
	if (is_dir("/usr/local/share/dansguardian/languages/".$reportlanguage)) 
		file_put_contents("/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html",dg_text_area_decode($dansguardian_log['report_file']),LOCK_EX);

dansguardian_dir needs to be appended to the front of the paths

Lines 927-928


if (is_dir(DANSGUARDIAN_DIR."/usr/local/share/dansguardian/languages/".$reportlanguage)) 
		file_put_contents(DANSGUARDIAN_DIR."/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html",dg_text_area_decode($dansguardian_log['report_file']),LOCK_EX);

Lines 694-695


#dansguardian.inc
	if ($dansguardian_log['report_file']=="" && file_exists(DANSGUARDIAN_DIR."/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html")){
		$report_file=file_get_contents(DANSGUARDIAN_DIR."/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html");

Update: Nevermind looks like they are already symlinked on a fresh install I am not sure why sgirard had a problem in the first place :-X Though I suppose it could be cleaned up considering you are setting the path based on what pfversion is running already?

[2.1-RELEASE][root@pfsense.localdomain]/usr/local/share/dansguardian/languages/ukenglish(15): ls -la
total 3
drwxr-xr-x   2 root  wheel   512 Feb 25 06:45 .
drwxr-xr-x  29 root  wheel  1024 Feb 25 06:45 ..
lrwxr-xr-x   1 root  wheel    87 Feb 25 06:45 fancydmtemplate.html -> /usr/pbi/dansguardian-amd64/share/dansguardian/languages/ukenglish/fancydmtemplate.html
lrwxr-xr-x   1 root  wheel    75 Feb 25 06:45 messages -> /usr/pbi/dansguardian-amd64/share/dansguardian/languages/ukenglish/messages
lrwxr-xr-x   1 root  wheel    80 Feb 25 06:45 template.html -> /usr/pbi/dansguardian-amd64/share/dansguardian/languages/ukenglish/template.html

cnd.fflv · May 1, 2014, 6:34 AM

Hi there.

Is there any way to put timeframe in DG?

I need to block access for certain users to certain sites. For example, users in DG group "office" are not allowed to access social nets and web-videos at working hours. Outside working hours they can.

Can I do that in DG itself or need to use FW rules or Squidguard along with it?

Thanks.

cirkit · May 1, 2014, 12:50 PM

https://forum.pfsense.org/index.php?topic=67066.0

Pistolero · Jun 11, 2014, 9:32 PM

Hola Marcelo!

Just saw that there is a new version on DG for download in the package manager. Can you please provide a changelog? Has the missing CLAMAV issue been corrected in this new package?

Thanks!

F.

Cino · Jun 11, 2014, 9:36 PM

@Pistolero:

Hola Marcelo!

Just saw that there is a new version on DG for download in the package manager. Can you please provide a changelog? Has the missing CLAMAV issue been corrected in this new package?

Thanks!

F.

There were a bunch of pbi's that were updated.. I think these are the lastest freebsd ports and not from the developers

https://github.com/pfsense/pfsense-packages/commit/62559c79ad7d5033b285ca0dc65bccf0f88f72bd

Pistolero · Jun 11, 2014, 10:13 PM

Ha… so likely CLAMD is still not in that package :( Bummer.

Thanks for the info!

@Cino:

@Pistolero:

Hola Marcelo!

Just saw that there is a new version on DG for download in the package manager. Can you please provide a changelog? Has the missing CLAMAV issue been corrected in this new package?

Thanks!

F.

There were a bunch of pbi's that were updated.. I think these are the lastest freebsd ports and not from the developers

https://github.com/pfsense/pfsense-packages/commit/62559c79ad7d5033b285ca0dc65bccf0f88f72bd

pfsense-lover · Jun 13, 2014, 1:48 AM

Can someone please explain why DG is not being compiled with CLAMAV support yet again?

Cino · Jun 13, 2014, 12:39 PM

Marcelo is probably busy right now work.. He does this on his own time..

pfsense-lover · Jun 15, 2014, 10:59 PM

The "core team" now compile the packages. DG has been compiled without ClamAV support for almost 3 months now. See this post https://forum.pfsense.org/index.php?topic=75005.msg417411#msg417411

The "core team" are not contactable. I am not sure how/who to escalate too.

This experience has been very disappointing.

Cino · Jun 16, 2014, 12:59 AM

if you really need ClamAV, use Squid 3-Dev. Works for me using i386 firmware..

I've read the link you sent but still dont get this statement: The "core team" now compile the packages.

try https://lists.pfsense.org/mailman/listinfo/dev if you want to send an email to the pfsense developers or post a bug on redmine.pfsense.org