Unofficial E2guardian package for pfSense
-
The etc files are left behind on uninstall. Maybe you should remove them manually in case they have being corrupted. Then reinstall with clean etc folder.
Really don't wanna lose my configs :( – It took a while to configure everything to a usable state.
-
The etc files are left behind on uninstall. Maybe you should remove them manually in case they have being corrupted. Then reinstall with clean etc folder.
Really don't wanna lose my configs :( – It took a while to configure everything to a usable state.
The etc files are left behind on uninstall. Maybe you should remove them manually in case they have being corrupted. Then reinstall with clean etc folder.
should not happen since 0.4.2.2.
-
The etc files are left behind on uninstall. Maybe you should remove them manually in case they have being corrupted. Then reinstall with clean etc folder.
Really don't wanna lose my configs :( – It took a while to configure everything to a usable state.
The etc files are left behind on uninstall. Maybe you should remove them manually in case they have being corrupted. Then reinstall with clean etc folder.
should not happen since 0.4.2.2.
I feel maybe something got corrupted somewhere down the line, since I one day updated via console by accident. When hitting 13 and updating the actual system (due to the "pkg" bug).
Here's the output I get when uninstalling…
>>> Removing pfSense-pkg-E2guardian4... Checking integrity... done (0 conflicting) Deinstallation has been requested for the following 1 packages (of 0 packages in the universe): Installed packages to be REMOVED: pfSense-pkg-E2guardian4-0.4.2.3 Number of packages to be removed: 1 [1/1] Deinstalling pfSense-pkg-E2guardian4-0.4.2.3... Removing E2guardian4 components... Menu items... done. Services... done. Loading package instructions... Deinstall commands... Remove modified xml files... Removing package crons... Disabling automtic parent squid script... Removing conf files... done. [1/1] Deleting files for pfSense-pkg-E2guardian4-0.4.2.3: pfSense-pkg-E2guardian4-0.4.2.3: missing file /usr/local/etc/e2guardian/squidparent.conf [1/1] Deleting files for pfSense-pkg-E2guardian4-0.4.2.3...... pfSense-pkg-E2guardian4-0.4.2.3: missing file /usr/local/pkg/e2guardian_ips.xml [1/1] Deleting files for pfSense-pkg-E2guardian4-0.4.2.3...... pfSense-pkg-E2guardian4-0.4.2.3: missing file /usr/local/pkg/e2guardian_users.xml [1/1] Deleting files for pfSense-pkg-E2guardian4-0.4.2.3....... done Removing E2guardian4 components... Configuration... done. >>> Removing stale packages... done. SuccessThis is the output I get when installing…
>>> Installing pfSense-pkg-E2guardian4... Updating Unofficial repository catalogue... Fetching meta.txz: . done Fetching packagesite.txz: . done Processing entries: .. done Unofficial repository update completed. 13 packages processed. Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking integrity... done (0 conflicting) The following 2 package(s) will be affected (of 0 checked): New packages to be INSTALLED: pfSense-pkg-E2guardian4: 0.4.2.3 [Unofficial] e2guardian: 4.1.1_11 [Unofficial] Number of packages to be installed: 2 The process will require 3 MiB more space. [1/2] Installing e2guardian-4.1.1_11... [1/2] Extracting e2guardian-4.1.1_11: .......... done [2/2] Installing pfSense-pkg-E2guardian4-0.4.2.3... [2/2] Extracting pfSense-pkg-E2guardian4-0.4.2.3: ......... done Saving updated package information... done. Loading package configuration... done. Configuring package components... Loading package instructions... Custom commands... Executing custom_php_install_command()...Checking E2guardian Blacklists... One moment please...Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |--- /usr/local/www/pkg_edit.orig.php 2017-04-05 17:12:56.478730000 -0300 |+++ /usr/local/www/pkg_edit.php 2017-04-05 17:13:51.614222000 -0300 -------------------------- Patching file /usr/local/www/pkg_edit.php using Plan A... Ignoring previously applied (or reversed) patch. Hunk #1 ignored at 656. 1 out of 1 hunks ignored--saving rejects to /usr/local/www/pkg_edit.php.rej done Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |--- /usr/local/www/pkg.orig.php 2017-04-05 17:18:25.349676000 -0300 |+++ /usr/local/www/pkg.php 2017-04-05 17:20:49.204578000 -0300 -------------------------- Patching file /usr/local/www/pkg.php using Plan A... Ignoring previously applied (or reversed) patch. Hunk #1 ignored at 329. 1 out of 1 hunks ignored--saving rejects to /usr/local/www/pkg.php.rej done Checking Blacklist... done. Executing custom_php_resync_config_command()...done. Menu items... done. Services... done. Writing configuration... done. Message from e2guardian-4.1.1_11: ===> Please Note: ******************************************************************************* This port has created a log file named e2guardian.log that can get quite large. Please read the newsyslog(8) man page for instructions on configuring log rotation and compression. This port has been converted using old dansguardian-devel port Let me know how it works (or not). (Patches always welcome.) ******************************************************************************* Message from pfSense-pkg-E2guardian4-0.4.2.3: Please visit Services - E2guardian Server menu to configure the package and enable it. >>> Cleaning up cache... done. SuccessI am seriously getting really frustrated, because Squid is even more of a buggy piece of sh** without E2Guardian. Some websites it can't even load… And when using Squid directly, I don't have Squid Guard so I have no filtering at this point in time, just open dns. I hope I have provided enough info, something seriously seems wrong here. :/
EDIT 2: FINALLY I FIXED IT WOOOW, MY HEAD IS RELIEVED!
I had to download the blacklist again, then set permissions, then re-apply blacklist. And then press the 'play button' and it started!!
-
Really don't wanna lose my configs :( – It took a while to configure everything to a usable state.
They will be there. :)
All config stays on pfSense config.xml. The etc files just reflect what were saved on GUI. -
-rwxr-xr-x 1 root wheel 2099000 Jun 27 00:21 /usr/local/sbin/e2guardianbinary permission is ok.
[2.3.4-RELEASE][root@pfSense.kortex]/root: killall e2guradian;/usr/local/sbin/e2guardian -N No matching processes were found Error reading file /usr/local/etc/e2guardian/lists/blacklists/adv/domains: No such file or directory Error opening file: /usr/local/etc/e2guardian/lists/blacklists/adv/domains Error reading: /usr/local/etc/e2guardian/lists/bannedsitelist.g_Default Error opening bannedsitelist Error opening filter group config: /usr/local/etc/e2guardian/e2guardianf1.conf Error in reading filter group files Error reading filter group conf file(s). Error parsing the e2guardian.conf file or other e2guardian configuration filesblacklist and conf files were not applied via gui.
To force a blacklist apply, save config under blacklist tab.
-
[quote] This is the output I get when installing... Looks fine. [quote] EDIT 2: [u][b]FINALLY I FIXED IT WOOOW, MY HEAD IS RELIEVED![/b][/u] I had to download the blacklist again, then set permissions, then re-apply blacklist. And then press the 'play button' and it started!! [/quote] what permissions did you had to fix? If you want to force a blacklist download during install process, remove /usr/local/pkg/blacklist.tgz file after deinstall. [/quote] -
@pfsensation, I could reproduce the erros on lab.
The problem is with reinstall. It does the uninstall process that removes conf files but do not remove the e2guardian bsd package.
This way, some files 'get lost' in the process.
I'm working on it to fix and will push a fix.
thanks for all your feedbacks! 8)
-
fetch this file and try resintalling, upgrading, removing version e2guardian pkg v 0.4.2.5
fetch -o /usr/local/pkg/e2guardian.inc https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/pkg-e2guardian4/files/usr/local/pkg/e2guardian.incThis fetch 'fixes' uninstall process from previous versions ( < 0.4.2.4) by replacing with current 0.4.2.5 e2guardian.inc file.
After upgrading, apply settings under services -> e2guardian.
What's new on 0.4.2.5
-
Reduced uninstall remove file process to do not break reinstalls
-
Improved watchdog script and gui realtime view.
-
-
Really don't wanna lose my configs :( – It took a while to configure everything to a usable state.
They will be there. :)
All config stays on pfSense config.xml. The etc files just reflect what were saved on GUI.I've encountered a pfSense crash, again it seems to be related to E2Guardian. Wasn't able to collect any details on it. Then I realised there was an update for E2Guardian, I updated now and ended up with the same issue (couldn't start the service). Downloaded the blacklist again, then press play and it started.
So maybe force or keep old blacklist when upgrading / installing?
Also wanted to add that ShallaList categories still don't show D: – Just says "blocked site".
-
I've encountered a pfSense crash, again it seems to be related to E2Guardian. Wasn't able to collect any details on it. Then I realised there was an update for E2Guardian, I updated now and ended up with the same issue (couldn't start the service). Downloaded the blacklist again, then press play and it started.
Did you updated the inc file before the update? I did it on 3 different installs and upgrade was fine.
-
I've encountered a pfSense crash, again it seems to be related to E2Guardian. Wasn't able to collect any details on it. Then I realised there was an update for E2Guardian, I updated now and ended up with the same issue (couldn't start the service). Downloaded the blacklist again, then press play and it started.
Did you updated the inc file before the update? I did it on 3 different installs and upgrade was fine.
What inc file are you referring to? I haven't touched any specific inc files.
-
fetch this file and try resintalling, upgrading, removing version e2guardian pkg v 0.4.2.5
fetch -o /usr/local/pkg/e2guardian.inc https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/pkg-e2guardian4/files/usr/local/pkg/e2guardian.incThis fetch 'fixes' uninstall process from previous versions ( < 0.4.2.4) by replacing with current 0.4.2.5 e2guardian.inc file.
After upgrading, apply settings under services -> e2guardian.
What's new on 0.4.2.5
-
Reduced uninstall remove file process to do not break reinstalls
-
Improved watchdog script and gui realtime view.
from this post. ::)
But if you are on 0.4.2.5, you don't need this fetch anymore.
-
-
fetch this file and try resintalling, upgrading, removing version e2guardian pkg v 0.4.2.5
fetch -o /usr/local/pkg/e2guardian.inc https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/pkg-e2guardian4/files/usr/local/pkg/e2guardian.incThis fetch 'fixes' uninstall process from previous versions ( < 0.4.2.4) by replacing with current 0.4.2.5 e2guardian.inc file.
After upgrading, apply settings under services -> e2guardian.
What's new on 0.4.2.5
-
Reduced uninstall remove file process to do not break reinstalls
-
Improved watchdog script and gui realtime view.
from this post. ::)
But if you are on 0.4.2.5, you don't need this fetch anymore.
Let's see how this goes. Have you tried setting up HTTPS transparently? If I try forwarding port 443 to 8080 on the pfSense box, it breaks HTTPS. However it works fine on HTTP (port 80) this is how I have it setup already.
I know it can be done without breaking HTTPS because smoothwall has this capability. You can get onto HTTPS sites just by installing their CA certificate (without setting up proxy settings on Android). And I am mentioning Android in particular because it doesn't have WPAD or any auto detection, so all the magic must be happening on the actual router itself, it is making HTTPS traffic go through the filter.
Let me know if this can be done, it would be useful to have for guest devices. Not 100% sure but I think Squid has this, if we could set it up for certain IP's or ranges it would be fantastic. :)
It's annoying to go around and actually manually configure the proxy settings for Android in particular, and some apps.
EDIT: I think that Fortinet uses some kind of ARP poisoning as one way of working. Probably right up there with our brute force method of using NAT redirects. Even on IOS devices, they haven't always been the best when picking up the proxy settings from WPAD.
-
-
e2guardian mitm does not work in transparent mode. If you you want transparent mode you have to turn off mitm and block only by blacklist.
I do not know the technicality why but I think is because to use SSL forging you need to authenticate the connection to a user/machine and that has to be in explicit mode.
-
Let's see how this goes. Have you tried setting up HTTPS transparently? If I try forwarding port 443 to 8080 on the pfSense box, it breaks HTTPS. However it works fine on HTTP (port 80) this is how I have it setup already.
Only when e2guardian code supports transparent ssl. Current version does not has it.
If you forward 443 to e2g, you may filter without mitm.
A working setup is e2g in sandwich mode (squid tranparent +splice all -> e2g without mitm -> automatic parent). You can deny access to sites but with no intercetion and no client config.You can create groups acls that has proxy configured and interception and groups from squid splice all.
EDIT
I've included a request on e2guardian github project. hope they can do it soon
https://github.com/e2guardian/e2guardian/issues/254 -
Let's see how this goes. Have you tried setting up HTTPS transparently? If I try forwarding port 443 to 8080 on the pfSense box, it breaks HTTPS. However it works fine on HTTP (port 80) this is how I have it setup already.
Only when e2guardian code supports transparent ssl. Current version does not has it.
If you forward 443 to e2g, you may filter without mitm.
A working setup is e2g in sandwich mode (squid tranparent +splice all -> e2g without mitm -> automatic parent). You can deny access to sites but with no intercetion and no client config.You can create groups acls that has proxy configured and interception and groups from squid splice all.
I'm trying to get this transparent setup only for the guest devices. Devices that I cannot get a CA on, however on all the rest I want normal MITM. Would that be possible?
When I get home I will try messing with it, because ideally for guests I want to just use splice all (via E2Guardian) which is what I'm already doing but Android clients don't want to happily work with this kind of setup. But for other groups it's MITM, I always try avoiding using a url based blocking because in today's day and age it's useless. And it's like going back to the old SquidGuard days for me, limited.
-
Just thinking a vage idea. Maybe you can make all your Android devices to connect to a specific subnet. Then you can authenticate by that subnet in a Group. This way you can filter with block list and content.
Maybe you can have one Wireless Router with DHCP relay assigning IPs by the subnet segment with a password only fro Android users.
The hardway is to have a MAC roster file with each Android device, then assign IPs reservations from a subnet pool.
But for mitm to work you have to use the CA.
Someone may have a better defined idea to this.
-
Just thinking a vage idea. Maybe you can make all your Android devices to connect to a specific subnet. Then you can authenticate by that subnet in a Group. This way you can filter with block list and content.
Maybe you can have one Wireless Router with DHCP relay assigning IPs by the subnet segment with a password only fro Android users.
The hardway is to have a MAC roster file with each Android device, then assign IPs reservations from a subnet pool.
But for mitm to work you have to use the CA.
Someone may have a better defined idea to this.
Android requires some extra setup for getting HTTPS filtering, that's kinda one of the big issues. And also, it would be hard to identify Android devices and slap them on a different subnet.
-
Just thinking a vage idea. Maybe you can make all your Android devices to connect to a specific subnet. Then you can authenticate by that subnet in a Group. This way you can filter with block list and content.
Maybe you can have one Wireless Router with DHCP relay assigning IPs by the subnet segment with a password only fro Android users.
The hardway is to have a MAC roster file with each Android device, then assign IPs reservations from a subnet pool.
But for mitm to work you have to use the CA.
Someone may have a better defined idea to this.
Android requires some extra setup for getting HTTPS filtering, that's kinda one of the big issues. And also, it would be hard to identify Android devices and slap them on a different subnet.
Yes. That is why I suggested the MAC address roster. I do not know how many Android devices are in your network but maybe doable.
Another idea is hard because requires coding. Maybe someone could create a Captive Portal page with java script that could identify the connecting device OS and MAC address. Then on a submit button execute other script that use the MAC to programmatically add it to the DHCP reservation table and invoke a command in the Android device to refresh the IP. Maybe on the same script invoke command to load the CA for the user to import it in the device.
-
Just thinking a vage idea. Maybe you can make all your Android devices to connect to a specific subnet. Then you can authenticate by that subnet in a Group. This way you can filter with block list and content.
Maybe you can have one Wireless Router with DHCP relay assigning IPs by the subnet segment with a password only fro Android users.
The hardway is to have a MAC roster file with each Android device, then assign IPs reservations from a subnet pool.
But for mitm to work you have to use the CA.
Someone may have a better defined idea to this.
Android requires some extra setup for getting HTTPS filtering, that's kinda one of the big issues. And also, it would be hard to identify Android devices and slap them on a different subnet.
Yes. That is why I suggested the MAC address roster. I do not know how many Android devices are in your network but maybe doable.
Another idea is hard because requires coding. Maybe someone could create a Captive Portal page with java script that could identify the connecting device OS and MAC address. Then on a submit button execute other script that use the MAC to programmatically add it to the DHCP reservation table and invoke a command in the Android device to refresh the IP. Maybe on the same script invoke command to load the CA for the user to import it in the device.
Most commercial products that do filtering seem to have a way to alert the user to install a CA. But the CA isn't the only issue here, android actually needs you to set pfsense as the proxy to allow https filtering. Because http traffic is easily redirected.
But I'm confused, if I try redirecting Port 443 to 8080 it breaks https, however smoothwall is able to do this without any client configuration. Just installing the CA. For guest devices though, ideally I don't want to deal with any CA's.
