Unofficial E2guardian package for pfSense

marcelloc

@pfsensation:

DAMNIT! That was it. For some reason before, that option didn't show / or I might have missed it (forgive me it's 2:32am in London).

It really does seem a lot faster, and some programs which were giving some trouble before with SSL interception. Seem to be working now. :O

Thanks a lot Marcello for your hard work and effort! Hats off to you! :)

GREAT!!!!  8) If we can confirm it's working better and faster, I'll remove soon the 3.5.1 package from Unofficial repo and wait for a 4.1.1 release to update Freebsd ports repo.

pfsensation

@marcelloc:

@pfsensation:

DAMNIT! That was it. For some reason before, that option didn't show / or I might have missed it (forgive me it's 2:32am in London).

It really does seem a lot faster, and some programs which were giving some trouble before with SSL interception. Seem to be working now. :O

Thanks a lot Marcello for your hard work and effort! Hats off to you! :)

GREAT!!!!  8) If we can confirm it's working better and faster, I'll remove soon the 3.5.1 package from Unofficial repo and wait for a 4.1.1 release to update Freebsd ports repo.

Sure, but before you do, maybe you should add some code to re-initialise those config files people already have. Because it needs to adjust to the new layout and grab that meta data. Not sure if any of it causes a big deal though.

Here's an example of what data didn't load before "re-saving" the group configs:

Also, is there a way to cache HTTPS content through Squid using E2Guardian? Squid still has that issue with Subject Alternative Name, and it cannot do the interception anymore as that function is broken. Since E2Guardian is able to do it, and it works correctly. Is there a quick way to get this to work? I got a 140GB hard drive in my box, may as well make full use of it. :P

marcelloc

@pfsensation:

Squid still has that issue with Subject Alternative Name, and it cannot do the interception anymore as that function is broken.

I did not know that. You mean current ssl splice all feature?

@pfsensation:

Sure, but before you do, maybe you should add some code to re-initialise those config files people already have

Most config until now can be kept but e2guardian is improving/changing the config structure a lot between versions.

@pfsensation:

Here's an example of what data didn't load before "re-saving" the group configs:

This is just cosmetic. It does not affect config files at all.

@pfsensation:

Also, is there a way to cache HTTPS content through Squid using E2Guardian?

Not sure. But you can try to disable server certificate check and enable squid interception too.

pfsensation

@marcelloc:

Not sure. But you can try to disable server certificate check and enable squid interception too.

I tried that, didn't seem to work. Maybe you can have a look at that when you have time. To clarify, Squid cannot create forged certificates that Chrome, Firefox, or any modern app will really accept. Since the code hasn't been updated to comply with RFC, afaik. It doesn't provide the Subject Alternative Name in the certificate, only provides "common name".

I meant, since E2Guardian is able to create certificates which are accepted and complies with RFC. Maybe we can still cache it using Squid, not sure if it's possible but should be since it's the parent proxy. But I guess this is something that will need to be looked into, it probably will have to anyways so that caching can work without conflicing with Squid (if Squid gets updated to work properly with SAN). In addition, I get the feeling, most people would be using E2Guardian with Squid anyways, so it makes sense to make full use of this setup.

Playing around with 4.1, it really does seem so much faster. I can't even tell there's a proxy in between, until I try going to a blocked site and see the blocked page. However, I have uncovered one bug so far. It's that SSL regex under "Site Lists" tab, doesn't seem to be working. I was using it to enforce YouTube restricted mode for kids / guests. While allowing it for certain users. It's something I can live with for now though. But nevertheless, it's a bug to be noted/checked, I guess.

pfsensation

Hmm, had two crashes so far using 4.1 since yesterday. I'd recommend everyone hold out for a bit for everything to stabilise before updating.
Unfortunately I wasn't able to capture any meaningful information, except this crash log. Only things I implemented was the WPAD and the new E2Guardian update since yesterday. And I have suspicions that it maybe E2Guardian.

https://ybin.me/p/e151f6a30f575c86#bQ6m4FCp/t6wWPLfFblyNmknhsZUXF0riaC3GJIlBBk=

marcelloc

how many users connected?

pfsensation

@marcelloc:

how many users connected?

Just a handful to be honest. For now only 4 devices doing MITM, and another 3 without MITM. It's a home environment so, not that big of a load. My machine load averages are barely going past 0.20, considering what I have running and this is a dual core machine. Pretty much same exact setup minus WPAD package on 3.5.1, barely any hiccups at all after initial setup. I was able to run it for over a week without a single issue.

With 4.1, today everything suddenly started loading super slow. I restarted the service, and everything was well again. Leading me to believe this is an issue with 4.1. Have you had a chance at all to take a look at why the SSL regex wasn't working?
For now, I'm glad 4.1, at least runs on pfSense, I'm just worried about the stability. Obviously I am running this at home, so some downtime isn't that big of a deal. But others may use it in their business or something. Especially as there is no filtering solution for pfSense which supports MITM anymore. SquidGuard doesn't work.

marcelloc

@pfsensation:

Have you had a chance at all to take a look at why the SSL regex wasn't working?

I've tested th sslregex with youtube today. worked fine(with the restart service after apply).

#SSL site modifying Regular Expressions

# Enforce restricted mode in YouTube
#
"(^https://www.youtube.com)"->"https://restrict.youtube.com"
"(^https://m.youtube.com)"->"https://restrict.youtube.com"
"(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com"
"(^https://youtube.googleapis.com)"->"https://restrict.youtube.com"
"(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com"
#

I'll test on a big environment next week, about 720 workstations. Hope it goes fine.

@pfsensation:

Especially as there is no filtering solution for pfSense which supports MITM anymore. SquidGuard doesn't work.

That's true. My test machines did not crashed any time but it's a single user with multiple tab test.

Can you test it on 2.4 beta too?

pfsensation

@marcelloc:

I've tested th sslregex with youtube today. worked fine(with the restart service after apply).

#SSL site modifying Regular Expressions

# Enforce restricted mode in YouTube
#
"(^https://www.youtube.com)"->"https://restrict.youtube.com"
"(^https://m.youtube.com)"->"https://restrict.youtube.com"
"(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com"
"(^https://youtube.googleapis.com)"->"https://restrict.youtube.com"
"(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com"
#

It seems I've run into the same problem lol. For Youtube Restricted mode, I've created a separate config so I can easily switch it on and off as required on a per group basis. It didn't work before, however, now after saving that config again, and restarting. It seems to be functioning as expected. Currently I am unaware of if these weird things are happening because I upgraded E2Guardian over SSH, or not, as no one else seems to have replied regarding the update yet.

@marcelloc:

I'll test on a big environment next week, about 720 workstations. Hope it goes fine.

Awesome! Let us know how it goes!

@marcelloc:

Can you test it on 2.4 beta too?

Unfortunately, I'll be unable to test this thoroughly as I need my home network running. And I don't believe I can test long enough or simulate proper real world load in a virtual setup, since the crashes don't happen immediately and often take a couple of hours.

I've just had my E2Guardian service stop again, here's the errors I managed to catch this time around in the logs.

2 21:22:55	e2guardian	573	Reporting_level is : 0 file /usr/local/etc/e2guardian/e2guardianf3.conf
Jun 2 21:26:50	check_reload_status		Linkup starting re0
Jun 2 21:26:50	kernel		re0: link state changed to DOWN
Jun 2 21:26:51	check_reload_status		Reloading filter
Jun 2 21:28:31	php-fpm	68338	/index.php: Successful login for user 'admin' from: 172.16.1.1
Jun 2 21:50:35	php-fpm	89081	/index.php: Successful login for user 'admin' from: 172.16.1.8
Jun 2 21:52:24	php-fpm	81052	/pkg_edit.php: Reloading E2guardian
Jun 2 21:53:27	pfsense.kortex		nginx: 2017/06/02 21:53:27 [error] 23127#100120: *93 open() "/usr/local/www/vendor/datatable/css/jquery.dataTables.min.css" failed (2: No such file or directory), client: 172.16.1.8, server: , request: "GET /vendor/datatable/css/jquery.dataTables.min.css HTTP/1.1", host: "pfsense.kortex", referrer: "https://pfsense.kortex/e2guardian_about.php"
Jun 2 21:53:27	pfsense.kortex		nginx: 2017/06/02 21:53:27 [error] 23127#100120: *93 open() "/usr/local/www/vendor/datatable/css/jquery.dataTables.min.css" failed (2: No such file or directory), client: 172.16.1.8, server: , request: "GET /vendor/datatable/css/jquery.dataTables.min.css HTTP/1.1", host: "pfsense.kortex", referrer: "https://pfsense.kortex/e2guardian_about.php"

Seems like there's missing web config files? pfSense.kortex leads to 172.16.1.1 which is my pfsense box.

I'm also getting the errors below from nginx, I'm guessing it's due to the WPAD package?

Jun 2 21:22:50	nginx		2017/06/02 21:22:50 [emerg] 98077#100105: bind() to 172.16.1.1:80 failed (48: Address already in use)
Jun 2 21:22:50	nginx		2017/06/02 21:22:50 [emerg] 98077#100105: bind() to 172.16.1.1:80 failed (48: Address already in use)
Jun 2 21:22:50	nginx		2017/06/02 21:22:50 [emerg] 98077#100105: bind() to 172.16.1.1:80 failed (48: Address already in use)
Jun 2 21:22:50	nginx		2017/06/02 21:22:50 [emerg] 98077#100105: bind() to 172.16.1.1:80 failed (48: Address already in use)

I have followed all your installation notes, and have configured it as it's meant to be. I have changed the webconfig port to HTTPS (443) then turned off WebGUI redirection. However… I do have a NAT rule redirecting HTTP traffic through E2Guardian, as it doesn't have this function automatically. Since it doesn't seem practical to fumble around with user authentication and CA's if friends and family come along.

EDIT: Found out how to reproduce the issue and make E2Guardian crash. I am using IP based authenticated since this is a home network and I want things as simple as possible. For all members of the family, and close relatives, they have been given a static IP and have been assigned to a group. However, if anyone else that hasn't specifically been assigned to a group tries to access a blocked site, E2Guardian crashes.

Aren't unauthenticated users meant to be assiged to the default group? That's how it was in 3.5.1?

How did I test this?
On my phone from time to time, I change my mac address in order to simulate a guest device without a assigned group, and to test the default group ACL's. As soon as I go to any blocked site using that, E2Guardian crashes. Furthermore, in the block page it doesn't even show the group as "Default". Am I going to have to manually put in like 200 guest IP's into the Default group IP tab? This worked perfectly before without any issues.

In case you are wondering… This is what appears on the logs when this all happens:

Jun 3 00:33:46	kernel		pid 7075 (e2guardian), uid 106: exited on signal 11
Jun 3 00:35:03	e2guardian	23849	Reporting_level is : 0 file /usr/local/etc/e2guardian/e2guardianf3.conf
Jun 3 00:35:04	kernel		pid 24676 (e2guardian), uid 106: exited on signal 11
Jun 3 00:35:11	check_reload_status		Syncing firewall
Jun 3 00:35:11	php-fpm	23959	/pkg_edit.php: [E2guardian] - Save settings package call pr: bp: rpc:no
Jun 3 00:35:12	check_reload_status		Syncing firewall
Jun 3 00:35:14	php-fpm	24910	/pkg_edit.php: Starting E2guardian
Jun 3 00:35:14	php-fpm	37347	/pkg_edit.php: Reloading E2guardian
Jun 3 00:35:18	e2guardian	37162	Reporting_level is : 0 file /usr/local/etc/e2guardian/e2guardianf3.conf
Jun 3 00:35:19	kernel		pid 44972 (e2guardian), uid 106: exited on signal 11
Jun 3 00:35:37	e2guardian	49484	Reporting_level is : 0 file /usr/local/etc/e2guardian/e2guardianf3.conf
Jun 3 00:35:44	kernel		pid 49895 (e2guardian), uid 106: exited on signal 11
Jun 3 00:36:10	check_reload_status		Syncing firewall
Jun 3 00:36:10	php-fpm	49681	/pkg_edit.php: [E2guardian] - Save settings package call pr: bp: rpc:no
Jun 3 00:36:11	check_reload_status		Syncing firewall
Jun 3 00:36:13	php-fpm	72183	/pkg.php: Starting E2guardian
Jun 3 00:36:15	php-fpm	83374	/pkg.php: Reloading E2guardian
Jun 3 00:36:17	e2guardian	83358	Reporting_level is : 0 file /usr/local/etc/e2guardian/e2guardianf3.conf
Jun 3 00:36:30	kernel		pid 92522 (e2guardian), uid 106: exited on signal 11
Jun 3 00:36:38	check_reload_status		Syncing firewall
Jun 3 00:36:38	php-fpm	83374	/pkg_edit.php: [E2guardian] - Save settings package call pr: bp: rpc:no
Jun 3 00:36:38	check_reload_status		Syncing firewall
Jun 3 00:36:42	check_reload_status		Syncing firewall
Jun 3 00:36:42	php-fpm	96436	/pkg_edit.php: [E2guardian] - Save settings package call pr: bp: rpc:no
Jun 3 00:36:43	check_reload_status		Syncing firewall
Jun 3 00:36:44	php-fpm	99121	/pkg_edit.php: Starting E2guardian

EDIT 2: Tried manually adding my spoofed MAC address IP to the default group. And I still ended up with a crash. Even after a reinstallation… :(
Now I've created a new group and added the entire range of IP's excluding the ones already in a group, that didn't seem to do the trick either. I guess I actually manually have to input those IP's?

**EDIT 3: After some even more digging… I found out that it wasn't related to the IP's or ranges being input into E2Guardian. I narrowed the issue being down the the IP having to be in the same subnet, if it's outside then it  will cause E2Guardian to crash.

For example my DHCP range is from 172.16.1.2-172.16.2.255. Any 2.x IP, going to any block page would cause E2Guardian to crash. This was not the behaviour in 3.5.1, no such issue. I forced my IP to be 172.16.1.50 and this time E2Guardian didn't crash on the block page which 100% confirms this.**

I give up lol… Made my range only one subnet. And now having the issue again. What kinda weird bug is this? It seems very likely that it's a problem with the authentication. Since it ONLY crashes when the devices "group" cannot be found. And it doesn't automatically put that device in the default group or anything.

marcelloc

This missing files on about page should not be therw. It's from postfix package I'll fix it.

The socket already in use is a service recall pfSense​do on wpad every config save. I'll try to ignore these calls from system and restart only from gui save.

pfsensation

@marcelloc:

This missing files on about page should not be therw. It's from postfix package I'll fix it.

The socket already in use is a service recall pfSense​do on wpad every config save. I'll try to ignore these calls from system and restart only from gui save.

Check my edit, I have found a way to reproduce the crashes of E2Guardian easily.

marcelloc

@pfsensation:

Check my edit, I have found a way to reproduce the crashes of E2Guardian easily.

I've update my ports with current e2guardian code and  removed the debug patches I've created while was trying to fix ILLEGAL INSTRUCTION bug we found before.

At least on 2.4 it's stable. I"ll update the binaries to 2.3 and also fix the about page.

marcelloc

pkg version 0.1.1 updates for 2.3 and 2.4  8)

No crashes on my tests until now.

pfsensation

@marcelloc:

pkg version 0.1.1 updates for 2.3 and 2.4  8)

No crashes on my tests until now.

I've upgraded to your latest package and I'm on pfsense 2.3.4, I'm still getting those crashes. :(

Have you been able to recreate the issue? Why is it giving so many issues on 2.3.4 if it works fine on 2.4?
Have you tried using multiple IP's? Currently I've assigned every single IP in my dhcp range to a group and I'm still having problems.

Could it be something related to my custom block page? Since it also shows filtergroup, host name and IP address? I posted the source code here. I'll have to try with the default page later on and see if that makes a difference. Although I don't think that's the cause.

marcelloc

I'm using your page and also testing on 2.3 64 bits.

pfsensation

@marcelloc:

I'm using your page and also testing on 2.3 64 bits.

Alright let me know how it goes. That's basically the same setup as mine.  By the way 4.1 completely fixed the  error too many redirects issue. I haven't had that error at least since updating from 3.5.1 :)

marcelloc

How exactly can I reproduce the error?

• Default install

• Ip address authentication

• squid as parent proxy(I'm using lan address to be able to test user authentication too)

• two groups(default + admin)

• home network on default group(192.168.1.0/255.255.255.0)

• specific devices ips on admin group

• ssl interception on both groups

• sslregex on youtube urls

Is there a specific site or rule or deny rule that is crashing you box?

I'm also trying:

• opening multiple browser tabs

• refreshing online new sites(that refreshes itself every x seconds)

• stopping site fetch during browser load, then loading another site, etc

marcelloc

Did you saw e2g binaries being updated during reinstall process? Pkg info should show e2guardian-4.1.1_1 pkg

Cino

I figured I would give E2guardian4 a spin and anytime something is blocked (word phase or blocked domain is what i tested so far), the daemon would crash. I think I've figure what is causing it, the block page.

When I used the block page provided by pfsensation, it crashes after it's display

pid 70160 (e2guardian), uid 65534: exited on signal 11

When I erase the block page, it doesn't put the default one back in there. So I graded the template from e2guardian github but that one doesn't want to load (haven't troubleshooting it yet)

[2.3.5-DEVELOPMENT][root@pfsense.home.lan]/root: /usr/local/etc/rc.d/e2guardian.sh restart
kern.ipc.somaxconn: 16384 -> 16384
kern.maxfiles: 131072 -> 131072
kern.maxfilesperproc: 104856 -> 104856
kern.threads.max_threads_per_proc: 4096 -> 4096
e2guardian not running? (check /var/run/e2guardian.pid).
Starting e2guardian.
Syntax error at first: -REASONGIVEN-
Error reading default HTML Template file: /usr/local/share/e2guardian/languages/ukenglish/template.html
Error opening filter group config: /usr/local/etc/e2guardian/e2guardianf1.conf
Error in reading filter group files
Error reading filter group conf file(s).
Error parsing the e2guardian.conf file or other e2guardian configuration files
/usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian

https://github.com/e2guardian/e2guardian/blob/v4.1/contrib/template.html

		<title>E2Guardian - Access Denied</title>

| 
				Access Denied!
			 |			
| 

				-USER- 
			 |			

					Your Organization
				 |				 
					Access to the page:

					[-URL-](-URL-)

					 ... has been denied for the following reason:

						 -REASONGIVEN- 

						You are seeing this error because what you attempted to access appears to contain,
						or is labeled as containing, material that has been deemed inappropriate.

						If you have any questions contact your [Network Administrator](mailto:-ADMIN-?subject=access%20denied&body=-URL-%20--%20-REASON-). 
					 Powered by [E2Guardian](http://www.e2guardian.org) 

						 [![Valid HTML 4.01 Transitional](http://www.w3.org/Icons/valid-html401)](http://validator.w3.org/check?uri=referer) 
						 [![Valid CSS!](http://jigsaw.w3.org/css-validator/images/vcss)](http://jigsaw.w3.org/css-validator/) 

				 |					

Since that wouldn't load, I took the spanish template and used google to translate it for me. No more crashing when pages are blocked.
/usr/local/share/e2guardian/languages/spanish/template.html

<title>E2guardian Access Denied</title>

<center>

	 **Access denied!**  |

	 **-USER- **  |

	 YOUR COMPANY  |	 
	 Access to the website

	[-URL-](-URL-)

	 Has been denied for the following reason:

	 **-REASONGIVEN-**
	 You are seeing this error message because the page you are

attempts to access contains, or is classified as containing,

material that is considered inappropriate.

If you have questions, please contact 
 with the System Administrator or the Network Administrator.

	 Powered by [e2guardian](http://www.e2guardian.org?block)  |

</center>

marcelloc

Ok. Try to add on pfsensation error page the html tags at the beginning and at the end. This is the way I'm using here.

custom_error_page.txt