Unofficial E2guardian package for pfSense

marcelloc

The sync config between boxes is already there. The squid integration is a manual process.

The restore function I'll think about later.

Pistolero

Thank you, sir. Could you please post instructions on how to integrate E2 with Squid?

Thanks a bunch, muito obrigado!

marcelloc

Basically, define the ip and squid port on squid config on first tab. The second tab shows the authentication e2guardian support to pass through squid.

All other tabs flow the configure from left-to-right, viewing each tab and saving config.

Stewart

Looks nice.  I'll have to give it a try.  A couple of questions:

1.  Why a custom script and not get it officially into the Package Manager?
2.  Is there documentation to get up and running?  It looks like you create separate entries under the various ACLs and then create a Group and assign the ACLs to it.  There's a lot of options on a lot of screens and they aren't all clear to me.
3.  Aside from AD, how do we assign users to different groups?  With squidGuard I needed to use the persons MAC to assign an IP through DHCP and then I could use that IP under a different ACL.  I don't see a way to tie an IP or MAC into a group in here.

Thanks for the work.  This would be a big improvement over squidGuard if I can figure it out.

marcelloc

@Stewart:

Looks nice.  I'll have to give it a try.  A couple of questions:

2.  Is there documentation to get up and running?  It looks like you create separate entries under the various ACLs and then create a Group and assign the ACLs to it.  There's a lot of options on a lot of screens and they aren't all clear to me.

The e2guardian configuration is really complex but extremely powerfull. Some options you get on general configuration but most is applied per group.

A basic setup:

• Apply the shalist under blacklist tab

• Configure the default group under acl

• save config

At this point, E2guardian users are required only when you have more then one group. All unauthenticated users or unlisted users will match first filter group.

So if you want to test a user based configuration, create a second group

• Configure squid as your parent proxy under daemon tab

• Select the Auth Plugin you want to interact with your squid configured user authentication

• save and apply config

Stewart

Is there any difference in the AV of E2guardian vs Squid?  They both appear to be Clam but Squid seems to give more options for custom databases.

marcelloc

@Stewart:

Is there any difference in the AV of E2guardian vs Squid?  They both appear to be Clam but Squid seems to give more options for custom databases.

IIRC e2guardian has per group scan options but I agree clamd on squid has more options.

Maybe you need to test both bu for now, you can keep on squid.

we need a lot of tests to archive the best config for e2guardian on pfSense.

I'm planning an captive portal integration just the same way I did on squid.

Stewart

I'm going to try to get some testing done tomorrow to see what I can come up with.  Looking through the config options is a bit daunting, especially the Pics area since the value ranges keep changing.  And where do I add in phrases to block?  Can we create our own phrase lists?

marcelloc

@Stewart:

Can we create our own phrase lists?

sure.

This is a wiki of Dansguardian. Most options works the same way on e2guardian.

http://contentfilter.futuragts.com/wiki/doku.php

https://github.com/e2guardian/e2guardian/wiki/Configuration

marcelloc

I've changed the submenu display style. I think it's better to see and undertand where you are.

What do you think?

images style1 are current pkg framework

images style2 has new style view.

What do you think?

Stewart

To me, the original style is better.  I can see that I'm in ACL's -> Phrase Lists by the underlining.  It just sticks out better.  In the second one I can see that I'm in ACLs but can't tell which sub-menu I'm in becasue it isn't showing any different.  The bread-crumbs up top show it but it just isn't as easy to follow.  I like your current style better.

danjeman

I think style 2 is cleaner but would be even nicer if it did highlight the sub menu item too  ;)

marcelloc

@danjeman:

I think style 2 is cleaner but would be even nicer if it did highlight the sub menu item too  ;)

I'll put the highlight as an option. For now I've changed de text on each xml to identify what tab you are.

Stewart

I'm starting to test e2guardian but it won't start.

/root: /usr/local/etc/rc.d/e2guardian.sh start
kern.ipc.somaxconn: 16384 -> 16384
kern.maxfiles: 131072 -> 131072
kern.maxfilesperproc: 104856 -> 104856
kern.threads.max_threads_per_proc: 4096 -> 4096
Starting e2guardian.
In mapauthtoports mode you need to setup one port per auth plugin
Error parsing the e2guardian.conf file or other e2guardian configuration files
/usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian

Can those files be regenerated?  I've pointed to shallalist but that's about it.  The Default values in bold, those are the values used if the boxes are left blank?  They don't need to be filled in do they?

EDIT:
I copied the e2guardian.conf.sample and overwrote /usr/local/etc/e2guardian/e2guardian.conf and I'm getting further.  Now it tells me:

/root: /usr/local/etc/rc.d/e2guardian.sh start
kern.ipc.somaxconn: 16384 -> 16384
kern.maxfiles: 131072 -> 131072
kern.maxfilesperproc: 104856 -> 104856
kern.threads.max_threads_per_proc: 4096 -> 4096
Starting e2guardian.
Error opening/creating log file. (check ownership and access rights).
I am running as nobody and I am trying to open /var/log//access.log
/usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian

marcelloc

What options did you selected to enable multiport?

Stewart

@marcelloc:

What options did you selected to enable multiport?

What page has that option?  I don't think I intentionally selected anything, just clicked through.

marcelloc

I have it working on my setup, including ssl interception. Try to selext just one interface. I'll try another clean setup and see how how to reproduce this.

Stewart

I have LAN and loopback selected since the default is Lan/loopback.  It's working with the sample config in place.

I ran a diff on the config file and the sample file and there is quite a bit of difference since the rows don't line up.  I cleared up the commented lines and here is what the config options are in the broken file:

languagedir = '/usr/local/share/e2guardian/languages'
language = 'ukenglish'
loglevel = 3
logexceptionhits = 2
logfileformat = 1
anonymizelogs = off
loglocation = '/var/log/e2guardian/access.log'
dstatlocation = '/var/log/e2guardian/dstats.log'
dstatinterval = 300  # = 5 minutes
statlocation = '/var/log/e2guardian/stats'
filterip = 192.168.1.1
filterip = 127.0.0.1
filterports = 8080
filterports = 8080
proxyip = 127.0.0.1
proxyport = 3128
proxytimeout = 30
proxyexchange = 20
pcontimeout = 55
usecustombannedimage = on
custombannedimagefile = '/usr/local/share/e2guardian/transparent1x1.gif'
usecustombannedflash = off
custombannedflashfile = '/usr/local/share/e2guardian/blockedflash.swf'
filtergroups = 1
filtergroupslist = '/usr/local/etc/e2guardian/lists/filtergroupslist'
bannediplist = '/usr/local/etc/e2guardian/lists/bannediplist'
exceptioniplist = '/usr/local/etc/e2guardian/lists/exceptioniplist'
perroomblockingdirectory = '/usr/local/etc/e2guardian/lists/bannedrooms/'
showweightedfound = on
urlcachenumber = 1000
urlcacheage =900
scancleancache = on
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = off
forcequicksearch = off
reverseaddresslookups = off
reverseclientiplookups = off
logclienthostnames = off
createlistcachefiles = on
prefercachedlists = off
maxcontentfiltersize = 256
maxcontentramcachescansize = 1000
maxcontentfilecachescansize = 2000
filecachedir = '/tmp'
deletedownloadedtempfiles = on
initialtrickledelay = 20
trickledelay = 20
downloadmanager = '/usr/local/etc/e2guardian/downloadmanagers/fancy.conf'
downloadmanager = '/usr/local/etc/e2guardian/downloadmanagers/trickle.conf'
downloadmanager = '/usr/local/etc/e2guardian/downloadmanagers/default.conf'
contentscannertimeout = 60
contentscanexceptions = off
recheckreplacedurls = off
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on
logsslerrors = off
logchildprocesshandling = off
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 10
maxsparechildren = 32
maxagechildren = 500
maxips = 0
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
ipipcfilename = '/tmp/.dguardianipipc'
nodaemon = off
nologger = off
logadblocks = off
loguseragent =
daemonuser = 'clamav'
daemongroup = 'nobody'
softrestart = on
cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'

Stewart

Looks like it was because I had both LAN and loopback selected.  You may want to remove the verbage of "Default: LAN/loopback".  For the other fields it states what is used when nothing is entered.  In this field you still need to select the Interface.

Cino

@Stewart:

Looks like it was because I had both LAN and loopback selected.  You may want to remove the verbage of "Default: LAN/loopback".  For the other fields it states what is used when nothing is entered.  In this field you still need to select the Interface.

I concur. You have to select only one interface (LAN) to get it to work. When loopback is also selected, it wont start. I haven't had a chance to test the different options other then installing and enabling it using default options.

Need to figure out an easy/clean way to convert my old Dansguardian config to E2guardian (within the config.xml)