Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unofficial E2guardian package for pfSense

    Scheduled Pinned Locked Moved Cache/Proxy
    1.2k Posts 71 Posters 1.7m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfsensation
      last edited by

      @marcelloc:

      what you get with :

      ls -l /usr/local/sbin/e2guardian

      -rwxr-xr-x  1 root  wheel  2099000 Jun 27 00:21 /usr/local/sbin/e2guardian
      

      @marcelloc:

      killall e2guradian;/usr/local/sbin/e2guardian -N

      
      [2.3.4-RELEASE][root@pfSense.kortex]/root: killall e2guradian;/usr/local/sbin/e2guardian -N
      No matching processes were found
      Error reading file /usr/local/etc/e2guardian/lists/blacklists/adv/domains: No such file or directory
      Error opening file: /usr/local/etc/e2guardian/lists/blacklists/adv/domains
      Error reading: /usr/local/etc/e2guardian/lists/bannedsitelist.g_Default
      Error opening bannedsitelist
      Error opening filter group config: /usr/local/etc/e2guardian/e2guardianf1.conf
      Error in reading filter group files
      Error reading filter group conf file(s).
      Error parsing the e2guardian.conf file or other e2guardian configuration files
      
      1 Reply Last reply Reply Quote 0
      • P
        pfsensation
        last edited by

        @jetberrocal:

        The etc files are left behind on uninstall. Maybe you should remove them manually in case they have being corrupted. Then reinstall with clean etc folder.

        Really don't wanna lose my configs :( – It took a while to configure everything to a usable state.

        1 Reply Last reply Reply Quote 0
        • J
          jetberrocal
          last edited by

          @pfsensation:

          @jetberrocal:

          The etc files are left behind on uninstall. Maybe you should remove them manually in case they have being corrupted. Then reinstall with clean etc folder.

          Really don't wanna lose my configs :( – It took a while to configure everything to a usable state.

          @marcelloc:

          @jetberrocal:

          The etc files are left behind on uninstall. Maybe you should remove them manually in case they have being corrupted. Then reinstall with clean etc folder.

          should not happen since 0.4.2.2.

          1 Reply Last reply Reply Quote 0
          • P
            pfsensation
            last edited by

            @jetberrocal:

            @pfsensation:

            @jetberrocal:

            The etc files are left behind on uninstall. Maybe you should remove them manually in case they have being corrupted. Then reinstall with clean etc folder.

            Really don't wanna lose my configs :( – It took a while to configure everything to a usable state.

            @marcelloc:

            @jetberrocal:

            The etc files are left behind on uninstall. Maybe you should remove them manually in case they have being corrupted. Then reinstall with clean etc folder.

            should not happen since 0.4.2.2.

            I feel maybe something got corrupted somewhere down the line, since I one day updated via console by accident. When hitting 13 and updating the actual system (due to the "pkg" bug).

            Here's the output I get when uninstalling…

            >>> Removing pfSense-pkg-E2guardian4... 
            Checking integrity... done (0 conflicting)
            Deinstallation has been requested for the following 1 packages (of 0 packages in the universe):
            
            Installed packages to be REMOVED:
            	pfSense-pkg-E2guardian4-0.4.2.3
            
            Number of packages to be removed: 1
            [1/1] Deinstalling pfSense-pkg-E2guardian4-0.4.2.3...
            Removing E2guardian4 components...
            Menu items... done.
            Services... done.
            Loading package instructions...
            Deinstall commands... Remove modified xml files...
            Removing package crons...
            Disabling automtic parent squid script...
            Removing conf files...
            done.
            [1/1] Deleting files for pfSense-pkg-E2guardian4-0.4.2.3: 
            pfSense-pkg-E2guardian4-0.4.2.3: missing file /usr/local/etc/e2guardian/squidparent.conf
            [1/1] Deleting files for pfSense-pkg-E2guardian4-0.4.2.3......
            pfSense-pkg-E2guardian4-0.4.2.3: missing file /usr/local/pkg/e2guardian_ips.xml
            [1/1] Deleting files for pfSense-pkg-E2guardian4-0.4.2.3......
            pfSense-pkg-E2guardian4-0.4.2.3: missing file /usr/local/pkg/e2guardian_users.xml
            [1/1] Deleting files for pfSense-pkg-E2guardian4-0.4.2.3....... done
            Removing E2guardian4 components...
            Configuration... done.
            >>> Removing stale packages... done.
            Success
            

            This is the output I get when installing…

            >>> Installing pfSense-pkg-E2guardian4... 
            Updating Unofficial repository catalogue...
            Fetching meta.txz: . done
            Fetching packagesite.txz: . done
            Processing entries: .. done
            Unofficial repository update completed. 13 packages processed.
            Updating pfSense-core repository catalogue...
            pfSense-core repository is up to date.
            Updating pfSense repository catalogue...
            pfSense repository is up to date.
            All repositories are up to date.
            Checking integrity... done (0 conflicting)
            The following 2 package(s) will be affected (of 0 checked):
            
            New packages to be INSTALLED:
            	pfSense-pkg-E2guardian4: 0.4.2.3 [Unofficial]
            	e2guardian: 4.1.1_11 [Unofficial]
            
            Number of packages to be installed: 2
            
            The process will require 3 MiB more space.
            [1/2] Installing e2guardian-4.1.1_11...
            [1/2] Extracting e2guardian-4.1.1_11: .......... done
            [2/2] Installing pfSense-pkg-E2guardian4-0.4.2.3...
            [2/2] Extracting pfSense-pkg-E2guardian4-0.4.2.3: ......... done
            Saving updated package information...
            done.
            Loading package configuration... done.
            Configuring package components...
            Loading package instructions...
            Custom commands...
            Executing custom_php_install_command()...Checking E2guardian Blacklists... One moment please...Hmm...  Looks like a unified diff to me...
            The text leading up to this was:
            --------------------------
            |--- /usr/local/www/pkg_edit.orig.php	2017-04-05 17:12:56.478730000 -0300
            |+++ /usr/local/www/pkg_edit.php	2017-04-05 17:13:51.614222000 -0300
            --------------------------
            Patching file /usr/local/www/pkg_edit.php using Plan A...
            Ignoring previously applied (or reversed) patch.
            Hunk #1 ignored at 656.
            1 out of 1 hunks ignored--saving rejects to /usr/local/www/pkg_edit.php.rej
            done
            Hmm...  Looks like a unified diff to me...
            The text leading up to this was:
            --------------------------
            |--- /usr/local/www/pkg.orig.php	2017-04-05 17:18:25.349676000 -0300
            |+++ /usr/local/www/pkg.php	2017-04-05 17:20:49.204578000 -0300
            --------------------------
            Patching file /usr/local/www/pkg.php using Plan A...
            Ignoring previously applied (or reversed) patch.
            Hunk #1 ignored at 329.
            1 out of 1 hunks ignored--saving rejects to /usr/local/www/pkg.php.rej
            done
            Checking Blacklist...
            done.
            Executing custom_php_resync_config_command()...done.
            Menu items... done.
            Services... done.
            Writing configuration... done.
            Message from e2guardian-4.1.1_11:
            ===>   Please Note:
            
            *******************************************************************************
                   This port has created a log file named e2guardian.log that can get
                   quite large.  Please read the newsyslog(8) man page for instructions
                   on configuring log rotation and compression.
            
                   This port has been converted using old dansguardian-devel port
                   Let me know how it works (or not). (Patches always welcome.)
            *******************************************************************************
            Message from pfSense-pkg-E2guardian4-0.4.2.3:
            Please visit Services - E2guardian Server menu to configure the package and enable it.
            >>> Cleaning up cache... done.
            Success
            

            I am seriously getting really frustrated, because Squid is even more of a buggy piece of sh** without E2Guardian. Some websites it can't even load… And when using Squid directly, I don't have Squid Guard so I have no filtering at this point in time, just open dns. I hope I have provided enough info, something seriously seems wrong here. :/

            EDIT 2: FINALLY I FIXED IT WOOOW, MY HEAD IS RELIEVED!

            I had to download the blacklist again, then set permissions, then  re-apply blacklist. And then press the 'play button' and it started!!

            1 Reply Last reply Reply Quote 0
            • marcellocM
              marcelloc
              last edited by

              @pfsensation:

              Really don't wanna lose my configs :( – It took a while to configure everything to a usable state.

              They will be there. :)
              All config stays on pfSense config.xml. The etc files just reflect what were saved on GUI.

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                @pfsensation:

                -rwxr-xr-x  1 root  wheel  2099000 Jun 27 00:21 /usr/local/sbin/e2guardian
                

                binary permission is ok.

                @pfsensation:

                
                [2.3.4-RELEASE][root@pfSense.kortex]/root: killall e2guradian;/usr/local/sbin/e2guardian -N
                No matching processes were found
                Error reading file /usr/local/etc/e2guardian/lists/blacklists/adv/domains: No such file or directory
                Error opening file: /usr/local/etc/e2guardian/lists/blacklists/adv/domains
                Error reading: /usr/local/etc/e2guardian/lists/bannedsitelist.g_Default
                Error opening bannedsitelist
                Error opening filter group config: /usr/local/etc/e2guardian/e2guardianf1.conf
                Error in reading filter group files
                Error reading filter group conf file(s).
                Error parsing the e2guardian.conf file or other e2guardian configuration files
                

                blacklist and conf files were not applied via gui.

                To force a blacklist apply, save config under blacklist tab.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • marcellocM
                  marcelloc
                  last edited by

                  [quote]
                  This is the output I get when installing...
                  
                  Looks fine.
                  
                  [quote]
                  EDIT 2: [u][b]FINALLY I FIXED IT WOOOW, MY HEAD IS RELIEVED![/b][/u]
                  
                  I had to download the blacklist again, then set permissions, then  re-apply blacklist. And then press the 'play button' and it started!!
                  [/quote]
                  
                  what permissions did you had to fix?
                  
                  If you want to force a blacklist download during install process, remove /usr/local/pkg/blacklist.tgz file after deinstall.
                  
                  [/quote]
                  

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    @pfsensation, I could reproduce the erros on lab.

                    The problem is with reinstall. It does the uninstall process that removes conf files but do not remove the e2guardian bsd package.

                    This way, some files 'get lost' in the process.

                    I'm working on it to fix and will push a fix.

                    thanks for all your feedbacks!  8)

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      fetch this file and try resintalling, upgrading, removing version e2guardian pkg v 0.4.2.5

                      fetch -o /usr/local/pkg/e2guardian.inc https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/pkg-e2guardian4/files/usr/local/pkg/e2guardian.inc
                      

                      This fetch 'fixes' uninstall process from previous versions ( < 0.4.2.4) by replacing with current 0.4.2.5 e2guardian.inc file.

                      After upgrading, apply settings under services -> e2guardian.

                      What's new on 0.4.2.5

                      • Reduced uninstall remove file process to do not break reinstalls

                      • Improved watchdog script and gui realtime view.

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • P
                        pfsensation
                        last edited by

                        @marcelloc:

                        @pfsensation:

                        Really don't wanna lose my configs :( – It took a while to configure everything to a usable state.

                        They will be there. :)
                        All config stays on pfSense config.xml. The etc files just reflect what were saved on GUI.

                        I've encountered a pfSense crash, again it seems to be related to E2Guardian. Wasn't able to collect any details on it. Then I realised there was an update for E2Guardian, I updated now and ended up with the same issue (couldn't start the service). Downloaded the blacklist again, then press play and it started.

                        So maybe force or keep old blacklist when upgrading / installing?

                        Also wanted to add that ShallaList categories still don't show D: – Just says "blocked site".

                        1 Reply Last reply Reply Quote 0
                        • marcellocM
                          marcelloc
                          last edited by

                          @pfsensation:

                          I've encountered a pfSense crash, again it seems to be related to E2Guardian. Wasn't able to collect any details on it. Then I realised there was an update for E2Guardian, I updated now and ended up with the same issue (couldn't start the service). Downloaded the blacklist again, then press play and it started.

                          Did you updated the inc file before the update? I did it on 3 different installs and upgrade was fine.

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • P
                            pfsensation
                            last edited by

                            @marcelloc:

                            @pfsensation:

                            I've encountered a pfSense crash, again it seems to be related to E2Guardian. Wasn't able to collect any details on it. Then I realised there was an update for E2Guardian, I updated now and ended up with the same issue (couldn't start the service). Downloaded the blacklist again, then press play and it started.

                            Did you updated the inc file before the update? I did it on 3 different installs and upgrade was fine.

                            What inc file are you referring to? I haven't touched any specific inc files.

                            1 Reply Last reply Reply Quote 0
                            • marcellocM
                              marcelloc
                              last edited by

                              @marcelloc:

                              fetch this file and try resintalling, upgrading, removing version e2guardian pkg v 0.4.2.5

                              fetch -o /usr/local/pkg/e2guardian.inc https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/pkg-e2guardian4/files/usr/local/pkg/e2guardian.inc
                              

                              This fetch 'fixes' uninstall process from previous versions ( < 0.4.2.4) by replacing with current 0.4.2.5 e2guardian.inc file.

                              After upgrading, apply settings under services -> e2guardian.

                              What's new on 0.4.2.5

                              • Reduced uninstall remove file process to do not break reinstalls

                              • Improved watchdog script and gui realtime view.

                              from this post. ::)

                              But if you are on 0.4.2.5, you don't need this fetch anymore.

                              Treinamentos de Elite: http://sys-squad.com

                              Help a community developer! ;D

                              1 Reply Last reply Reply Quote 0
                              • P
                                pfsensation
                                last edited by

                                @marcelloc:

                                @marcelloc:

                                fetch this file and try resintalling, upgrading, removing version e2guardian pkg v 0.4.2.5

                                fetch -o /usr/local/pkg/e2guardian.inc https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/pkg-e2guardian4/files/usr/local/pkg/e2guardian.inc
                                

                                This fetch 'fixes' uninstall process from previous versions ( < 0.4.2.4) by replacing with current 0.4.2.5 e2guardian.inc file.

                                After upgrading, apply settings under services -> e2guardian.

                                What's new on 0.4.2.5

                                • Reduced uninstall remove file process to do not break reinstalls

                                • Improved watchdog script and gui realtime view.

                                from this post. ::)

                                But if you are on 0.4.2.5, you don't need this fetch anymore.

                                Let's see how this goes. Have you tried setting up HTTPS transparently? If I try forwarding port 443 to 8080 on the pfSense box, it breaks HTTPS. However it works fine on HTTP (port 80) this is how I have it setup already.

                                I know it can be done without breaking HTTPS because smoothwall has this capability. You can get onto HTTPS sites just by installing their CA certificate (without setting up proxy settings on Android). And I am mentioning Android in particular because it doesn't have WPAD or any auto detection, so all the magic must be happening on the actual router itself, it is making HTTPS traffic go through the filter.

                                Let me know if this can be done, it would be useful to have for guest devices. Not 100% sure but I think Squid has this, if we could set it up for certain IP's or ranges it would be fantastic. :)

                                It's annoying to go around and actually manually configure the proxy settings for Android in particular, and some apps.

                                EDIT: I think that Fortinet uses some kind of ARP poisoning as one way of working. Probably right up there with our brute force method of using NAT redirects. Even on IOS devices, they haven't always been the best when picking up the proxy settings from WPAD.

                                1 Reply Last reply Reply Quote 0
                                • J
                                  jetberrocal
                                  last edited by

                                  e2guardian mitm does not work in transparent mode.  If you you want transparent mode you have to turn off mitm and block only by blacklist.

                                  I do not know the technicality why but I think is because to use SSL forging you need to authenticate the connection to a user/machine and that has to be in explicit mode.

                                  1 Reply Last reply Reply Quote 0
                                  • marcellocM
                                    marcelloc
                                    last edited by

                                    @pfsensation:

                                    Let's see how this goes. Have you tried setting up HTTPS transparently? If I try forwarding port 443 to 8080 on the pfSense box, it breaks HTTPS. However it works fine on HTTP (port 80) this is how I have it setup already.

                                    Only when e2guardian code supports transparent ssl. Current version does not has it.
                                    If you forward 443 to e2g, you may filter without mitm.
                                    A working setup is e2g in sandwich mode (squid tranparent +splice all -> e2g without mitm -> automatic parent). You can deny access to sites but with no intercetion and no client config.

                                    You can create groups acls that has proxy configured and interception and groups from squid splice all.

                                    EDIT

                                    I've included a request on e2guardian github project. hope they can do it soon
                                    https://github.com/e2guardian/e2guardian/issues/254

                                    Treinamentos de Elite: http://sys-squad.com

                                    Help a community developer! ;D

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      pfsensation
                                      last edited by

                                      @marcelloc:

                                      @pfsensation:

                                      Let's see how this goes. Have you tried setting up HTTPS transparently? If I try forwarding port 443 to 8080 on the pfSense box, it breaks HTTPS. However it works fine on HTTP (port 80) this is how I have it setup already.

                                      Only when e2guardian code supports transparent ssl. Current version does not has it.
                                      If you forward 443 to e2g, you may filter without mitm.
                                      A working setup is e2g in sandwich mode (squid tranparent +splice all -> e2g without mitm -> automatic parent). You can deny access to sites but with no intercetion and no client config.

                                      You can create groups acls that has proxy configured and interception and groups from squid splice all.

                                      I'm trying to get this transparent setup only for the guest devices. Devices that I cannot get a CA on, however on all the rest I want normal MITM. Would that be possible?

                                      When I get home I will try messing with it, because ideally for guests I want to just use splice all (via E2Guardian) which is what I'm already doing but Android clients don't want to happily work with this kind of setup. But for other groups it's MITM, I always try avoiding using a url based blocking because in today's day and age it's useless. And it's like going back to the old SquidGuard days for me, limited.

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        jetberrocal
                                        last edited by

                                        Just thinking a vage idea.  Maybe you can make all your Android devices to connect to a specific subnet.  Then you can authenticate by that subnet in a Group.  This way you can filter with block list and content.

                                        Maybe you can have one Wireless Router with DHCP relay assigning IPs by the subnet segment with a password only fro Android users.

                                        The hardway is to have a MAC roster file with each Android device, then assign IPs reservations from a subnet pool.

                                        But for mitm to work you have to use the CA.

                                        Someone may have a better defined idea to this.

                                        1 Reply Last reply Reply Quote 0
                                        • P
                                          pfsensation
                                          last edited by

                                          @jetberrocal:

                                          Just thinking a vage idea.  Maybe you can make all your Android devices to connect to a specific subnet.  Then you can authenticate by that subnet in a Group.  This way you can filter with block list and content.

                                          Maybe you can have one Wireless Router with DHCP relay assigning IPs by the subnet segment with a password only fro Android users.

                                          The hardway is to have a MAC roster file with each Android device, then assign IPs reservations from a subnet pool.

                                          But for mitm to work you have to use the CA.

                                          Someone may have a better defined idea to this.

                                          Android requires some extra setup for getting HTTPS filtering, that's kinda one of the big issues. And also, it would be hard to identify Android devices and slap them on a different subnet.

                                          1 Reply Last reply Reply Quote 0
                                          • J
                                            jetberrocal
                                            last edited by

                                            @pfsensation:

                                            @jetberrocal:

                                            Just thinking a vage idea.  Maybe you can make all your Android devices to connect to a specific subnet.  Then you can authenticate by that subnet in a Group.  This way you can filter with block list and content.

                                            Maybe you can have one Wireless Router with DHCP relay assigning IPs by the subnet segment with a password only fro Android users.

                                            The hardway is to have a MAC roster file with each Android device, then assign IPs reservations from a subnet pool.

                                            But for mitm to work you have to use the CA.

                                            Someone may have a better defined idea to this.

                                            Android requires some extra setup for getting HTTPS filtering, that's kinda one of the big issues. And also, it would be hard to identify Android devices and slap them on a different subnet.

                                            Yes.  That is why I suggested the MAC address roster.  I do not know how many Android devices are in your network but maybe doable.

                                            Another idea is hard because requires coding.  Maybe someone could create a Captive Portal page with java script that could identify the connecting device OS and MAC address.  Then on a submit button execute other script that use the MAC to programmatically add it to the DHCP reservation table and invoke a command in the Android device to refresh the IP.  Maybe on the same script invoke command to load the CA for the user to import it in the device.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.