Pacote não oficial E2guardian para software pfsense® - Adeus squidguard :D
-
O e2Guardian trabalha com squid autenticado via NCSA e respeita as ACL do squid?
Ele tem suas próprias acls, mas recebe os usuários que o squid autenticou via configuração do parent. você pode fazer a declaração tanto via custom options quanto pela segunda aba de configuração do squid.
-
Olá, poderiam dar uma explicada na questão das ACL? ele trabalha igual ao SQUID GUARD criando grupos e colocando os usuarios? como ele funciona? precisava liberar os usuÁrios de acordo com os grupos igual fazia no squid guard porem na guia groups nao tem campo para colocar os usuarios.
Depois de configurar o squid para enviar o trafego para o e2guardian
cache_peer 127.0.0.1 parent 8080 0 login=*:password always_direct deny all never_direct allow all
Acesse o E2guardian e:
-
Defina as acls na aba acl com o que você permite ou bloqueia, de acordo com o horário ou sem ativa.
-
Em seguida defina os grupos (Default, admin, restrito, etc..) e selecione quais acls se aplicam a ele
-
Depois de definir os grupos, diga quais usuários fazem parte de cada grupo na aba users.
-
-
Procedimento básico de instalação em um pfSense 2.3.4 recém instalado sem nenhum pacote
Depois do repositório habilitado:
>>> Installing pfSense-pkg-E2guardian4... Updating Unofficial repository catalogue... Fetching meta.txz: . done Fetching packagesite.txz: . done Processing entries: .. done Unofficial repository update completed. 13 packages processed. Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Updating database digests format: . done The following 7 package(s) will be affected (of 0 checked): New packages to be INSTALLED: pfSense-pkg-E2guardian4: 0.4.2.3 [Unofficial] squid: 3.5.26 [pfSense] krb5: 1.15.1_4 [pfSense] pkgconf: 1.3.0,1 [pfSense] cyrus-sasl: 2.1.26_12 [pfSense] e2guardian: 4.1.1_11 [Unofficial] openssl: 1.0.2l,1 [Unofficial] Number of packages to be installed: 7 The process will require 29 MiB more space. 7 MiB to be downloaded. [1/7] Fetching pfSense-pkg-E2guardian4-0.4.2.3.txz: .......... done [2/7] Fetching squid-3.5.26.txz: .......... done [3/7] Fetching krb5-1.15.1_4.txz: .......... done [4/7] Fetching pkgconf-1.3.0,1.txz: ....... done [5/7] Fetching cyrus-sasl-2.1.26_12.txz: .......... done [6/7] Fetching e2guardian-4.1.1_11.txz: .......... done [7/7] Fetching openssl-1.0.2l,1.txz: .......... done Checking integrity... done (0 conflicting) [1/7] Installing pkgconf-1.3.0,1... [1/7] Extracting pkgconf-1.3.0,1: .......... done [2/7] Installing krb5-1.15.1_4... [2/7] Extracting krb5-1.15.1_4: .......... done [3/7] Installing cyrus-sasl-2.1.26_12... *** Added group `cyrus' (id 60) *** Added user `cyrus' (id 60) [3/7] Extracting cyrus-sasl-2.1.26_12: .......... done [4/7] Installing squid-3.5.26... ===> Creating groups. Creating group 'squid' with gid '100'. ===> Creating users Creating user 'squid' with uid '100'. ===> Pre-installation configuration for squid-3.5.26 [4/7] Extracting squid-3.5.26: .......... done [5/7] Installing e2guardian-4.1.1_11... [5/7] Extracting e2guardian-4.1.1_11: .......... done [6/7] Installing pfSense-pkg-E2guardian4-0.4.2.3... [6/7] Extracting pfSense-pkg-E2guardian4-0.4.2.3: ......... done Saving updated package information... done. Loading package configuration... done. Configuring package components... Loading package instructions... Custom commands... Executing custom_php_install_command()...Checking E2guardian Blacklists... One moment please...Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |--- /usr/local/www/pkg_edit.orig.php 2017-04-05 17:12:56.478730000 -0300 |+++ /usr/local/www/pkg_edit.php 2017-04-05 17:13:51.614222000 -0300 -------------------------- Patching file /usr/local/www/pkg_edit.php using Plan A... Hunk #1 succeeded at 656 (offset 5 lines). done Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |--- /usr/local/www/pkg.orig.php 2017-04-05 17:18:25.349676000 -0300 |+++ /usr/local/www/pkg.php 2017-04-05 17:20:49.204578000 -0300 -------------------------- Patching file /usr/local/www/pkg.php using Plan A... Hunk #1 succeeded at 329 (offset 5 lines). done Checking Blacklist... 1% 2% 3% 4% 5% 6% 7% 8% 9% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%Blacklist check done, continuing package config sync. done. Executing custom_php_resync_config_command()...done. Menu items... done. Services... done. Writing configuration... done. [7/7] Installing openssl-1.0.2l,1... Extracting openssl-1.0.2l,1: .......... done Message from cyrus-sasl-2.1.26_12: You can use sasldb2 for authentication, to add users use: saslpasswd2 -c username If you want to enable SMTP AUTH with the system Sendmail, read Sendmail.README NOTE: This port has been compiled with a default pwcheck_method of auxprop. If you want to authenticate your user by /etc/passwd, PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and set sasl_pwcheck_method to saslauthd after installing the Cyrus-IMAPd 2.X port. You should also check the /usr/local/lib/sasl2/*.conf files for the correct pwcheck_method. If you want to use GSSAPI mechanism, install ports/security/cyrus-sasl2-gssapi. If you want to use SRP mechanism, install ports/security/cyrus-sasl2-srp. If you want to use LDAP auxprop plugin, install ports/security/cyrus-sasl2-ldapdb. Message from squid-3.5.26: o You can find the configuration files for this package in the directory /usr/local/etc/squid. o The default cache directory is /var/squid/cache/. The default log directory is /var/log/squid/. Note: You must initialize new cache directories before you can start squid. Do this by running "squid -z" as 'root' or 'squid'. If your cache directories are already initialized (e.g. after an upgrade of squid) you do not need to initialize them again. o When using DiskD storage scheme remember to read documentation: http://wiki.squid-cache.org/Features/DiskDaemon and alter your kern.ipc defaults in /boot/loader.conf. DiskD will not work reliably without this. Last recomendations were: kern.ipc.msgmnb=8192 kern.ipc.msgssz=64 kern.ipc.msgtql=2048 o The default configuration will deny everyone but the local host and local networks as defined in RFC 1918 for IPv4 and RFCs 4193 and 4291 for IPv6 access to the proxy service. Edit the "http_access allow/deny" directives in /usr/local/etc/squid/squid.conf to suit your needs. o If AUTH_SQL option is set, please, don't forget to install one of following perl modules depending on database you like: databases/p5-DBD-mysql databases/p5-DBD-Pg databases/p5-DBD-SQLite To enable Squid, set squid_enable=yes in either /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/squid Please see /usr/local/etc/rc.d/squid for further details. Note: If you just updated your Squid installation from an earlier version, make sure to check your Squid configuration against the 3.4 default configuration file /usr/local/etc/squid/squid.conf.sample. /usr/local/etc/squid/squid.conf.documented is a fully annotated configuration file you can consult for further reference. Additionally, you should check your configuration by calling 'squid -f /path/to/squid.conf -k parse' before starting Squid. Message from e2guardian-4.1.1_11: ===> Please Note: ******************************************************************************* This port has created a log file named e2guardian.log that can get quite large. Please read the newsyslog(8) man page for instructions on configuring log rotation and compression. This port has been converted using old dansguardian-devel port Let me know how it works (or not). (Patches always welcome.) ******************************************************************************* Message from pfSense-pkg-E2guardian4-0.4.2.3: Please visit Services - E2guardian Server menu to configure the package and enable it. Message from openssl-1.0.2l,1: Edit /usr/local/openssl/openssl.cnf to fit your needs. >>> Cleaning up cache... done. Success
Após a instalação,
-
Criei uma CA
-
selecionei ela na aba daemon do e2g e digitei a porta(8080)
-
Habilitei o ssl filtering
-
selecioneil o watchdog no advanced fields
-
save
-
na aba general
-
selecionei address como authentication
-
Mudei o modo de filtro de denied para filtered
-
save, apply
Por segurança, criei uma regra na lan permitindo trafego na porta 8080 do e2guardian.
-
-
Ele tem suas próprias acls, mas recebe os usuários que o squid autenticou via configuração do parent. você pode fazer a declaração tanto via custom options quanto pela segunda aba de configuração do squid.
Estou levantando um lab virtual para colaborar com os testes.
Em meu cenário tenho alguns equipamentos do laboratório de uso coletivo e somente alguns usuários tem permissão de uso da internet.No Squid por padrão todos são obrigado a se autenticar, utilizei um recurso de ACL onde diretores e alguns usuários do administrativo (ip fixo) acessam a internet mas o navegador não pede autenticação e o bom de tudo que todos passam e recebem as regras do squid.
Em breve posto meu resultado com os testes nestas condições.
-
Pra quem estiver usando uma versão anterior a 0.4.2.5, antes de executar o processo de atualização ou desinstalação, execute esse comado:
fetch -o /usr/local/pkg/e2guardian.inc https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/pkg-e2guardian4/files/usr/local/pkg/e2guardian.inc
Esse aquivo corrige problemas no upgrade/reinstall do pacote quando o gerenciador não atualiza os binários do e2guardian.
Depois de atualizar, não esqueça de salvar e aplicar as configurações em Services -> e2guardian
Novidades da 0.4.2.5
-
Redução da 'limpeza' dos arquivos na desinstalação para previnir erros na reinstalação ou upgrade
-
Melhoria do script de watchdog e da aba realtime.
-
-
Amigos, instalei o pacote tudo de acordo com o tutoral, e o serviço não estarta, alguma idéia??
Clico no Play e não funciona.
Aguardo e obrigado
-
Amigos, instalei o pacote tudo de acordo com o tutoral, e o serviço não estarta, alguma idéia??
Clico no Play e não funciona.
Aguardo e obrigado
Alguma coisa nos logs?
-
Olá, no log do squid parece que o trafego esta passando por ele, porem o e2guardian não starta, estou em um ambiente virtual, se alguem puder passar um tutorial mais especifico pois estou usando o que um usuario disponibilizou.
não entendo e não faço idéia do que pode estar acontecendo
-
Olhe os logs do sistema para ver porque o seu e2g não está subindo. Ou execute na console
/use/local/etc/rc.d/e2guardian.sh start
-
Marcelloc,
Conseguiu fazer o pop ? -
Jul 4 11:56:14 php-cgi rc.bootup: NTPD is starting up. Jul 4 11:56:14 kernel done. Jul 4 11:56:14 kernel done. Jul 4 11:56:14 check_reload_status Updating all dyndns Jul 4 11:56:14 php-cgi rc.bootup: [squid] Installed but not started. Not installing 'nat' rules. Jul 4 11:56:15 php-cgi rc.bootup: [squid] Installed but not started. Not installing 'pfearly' rules. Jul 4 11:56:15 kernel . Jul 4 11:56:15 php-cgi rc.bootup: [squid] Installed but not started. Not installing 'filter' rules. Jul 4 11:56:15 kernel .. Jul 4 11:56:16 kernel .done. Jul 4 11:56:20 php-cgi rc.bootup: The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/wan-traffic.rrd N:U:U:U:U:U:U:U:U' returned exit code '1', the output was 'ERROR: /var/db/rrd/wan-traffic.rrd: illegal attempt to update using time 1499180180 when last update time is 1499190649 (minimum one second step)' Jul 4 11:56:20 php-cgi rc.bootup: The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/wan-packets.rrd N:U:U:U:U:U:U:U:U' returned exit code '1', the output was 'ERROR: /var/db/rrd/wan-packets.rrd: illegal attempt to update using time 1499180180 when last update time is 1499190649 (minimum one second step)' Jul 4 11:56:20 php-cgi rc.bootup: The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/lan-traffic.rrd N:U:U:U:U:U:U:U:U' returned exit code '1', the output was 'ERROR: /var/db/rrd/lan-traffic.rrd: illegal attempt to update using time 1499180180 when last update time is 1499190649 (minimum one second step)' Jul 4 11:56:20 php-cgi rc.bootup: The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/lan-packets.rrd N:U:U:U:U:U:U:U:U' returned exit code '1', the output was 'ERROR: /var/db/rrd/lan-packets.rrd: illegal attempt to update using time 1499180180 when last update time is 1499190649 (minimum one second step)' Jul 4 11:56:20 php-cgi rc.bootup: The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/ipsec-traffic.rrd N:U:U:U:U:U:U:U:U' returned exit code '1', the output was 'ERROR: /var/db/rrd/ipsec-traffic.rrd: illegal attempt to update using time 1499180180 when last update time is 1499190649 (minimum one second step)' Jul 4 11:56:20 php-cgi rc.bootup: The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/ipsec-packets.rrd N:U:U:U:U:U:U:U:U' returned exit code '1', the output was 'ERROR: /var/db/rrd/ipsec-packets.rrd: illegal attempt to update using time 1499180180 when last update time is 1499190649 (minimum one second step)' Jul 4 11:56:20 php-cgi rc.bootup: The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/system-states.rrd N:U:U:U:U:U' returned exit code '1', the output was 'ERROR: /var/db/rrd/system-states.rrd: illegal attempt to update using time 1499180180 when last update time is 1499190649 (minimum one second step)' Jul 4 11:56:20 php-cgi rc.bootup: The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/system-processor.rrd N:U:U:U:U:U' returned exit code '1', the output was 'ERROR: /var/db/rrd/system-processor.rrd: illegal attempt to update using time 1499180180 when last update time is 1499190650 (minimum one second step)' Jul 4 11:56:20 php-cgi rc.bootup: The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/system-memory.rrd N:U:U:U:U:U' returned exit code '1', the output was 'ERROR: /var/db/rrd/system-memory.rrd: illegal attempt to update using time 1499180180 when last update time is 1499190650 (minimum one second step)' Jul 4 11:56:20 php-cgi rc.bootup: The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/system-mbuf.rrd N:U:U:U:U' returned exit code '1', the output was 'ERROR: /var/db/rrd/system-mbuf.rrd: illegal attempt to update using time 1499180180 when last update time is 1499190650 (minimum one second step)' Jul 4 11:56:20 php-cgi rc.bootup: Creating rrd update script Jul 4 11:56:20 kernel done. Jul 4 11:56:21 syslogd exiting on signal 15 Jul 4 11:56:21 syslogd kernel boot file is /boot/kernel/kernel Jul 4 11:56:21 kernel done. Jul 4 11:56:21 php-fpm 286 /rc.start_packages: Restarting/Starting all packages. Jul 4 11:56:21 php-fpm 286 /rc.start_packages: [squid] - squid_resync function call pr: bp: rpc:no Jul 4 11:56:24 php-fpm 286 /rc.start_packages: [squid] Adding cronjobs ... Jul 4 11:56:24 php-fpm 286 /rc.start_packages: Checked cron job for /usr/local/sbin/squid -k rotate -f /usr/local/etc/squid/squid.conf, no change needed Jul 4 11:56:24 php-fpm 286 /rc.start_packages: Checked cron job for /usr/local/pkg/swapstate_check.php, no change needed Jul 4 11:56:24 php-fpm 286 /rc.start_packages: [squid] Antivirus features disabled. Jul 4 11:56:24 php-fpm 286 /rc.start_packages: [squid] Removing freshclam cronjob. Jul 4 11:56:25 php-fpm 286 /rc.start_packages: [squid] Starting service... Jul 4 11:56:27 php-fpm 286 /rc.start_packages: [squid] Starting a proxy monitor script Jul 4 11:56:28 check_reload_status Reloading filter Jul 4 11:56:28 php-fpm 286 /rc.start_packages: [E2guardian] - Save settings package call pr: bp:1 rpc:no Jul 4 11:56:29 check_reload_status Syncing firewall Jul 4 11:56:29 check_reload_status Syncing firewall Jul 4 11:56:31 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 4 11:56:33 login login on ttyv0 as root Jul 4 11:56:33 sshlockout 92379 sshlockout/webConfigurator v3.0 starting up Jul 4 14:57:23 php-fpm 72745 /index.php: webConfigurator authentication error for 'admn' from 10.106.15.10 Jul 4 14:57:27 php-fpm 72745 /index.php: Successful login for user 'admin' from: 10.106.15.10 Jul 4 14:57:44 php-fpm 31864 /pkg_edit.php: Starting E2guardian Jul 4 14:57:44 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 4 14:57:44 php-fpm 31864 /pkg_edit.php: The command '/usr/local/etc/rc.d/e2guardian.sh start' returned exit code '1', the output was 'kern.ipc.somaxconn: 16384 -> 16384 kern.maxfiles: 131072 -> 131072 kern.maxfilesperproc: 104856 -> 104856 kern.threads.max_threads_per_proc: 20480 -> 20480 Starting e2guardian. Shared object "libssl.so.9" not found, required by "e2guardian" /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian' Jul 4 14:57:45 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 4 14:57:51 php-fpm 42404 /pkg_edit.php: Starting E2guardian Jul 4 14:57:51 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 4 14:57:51 php-fpm 42404 /pkg_edit.php: The command '/usr/local/etc/rc.d/e2guardian.sh start' returned exit code '1', the output was 'kern.ipc.somaxconn: 16384 -> 16384 kern.maxfiles: 131072 -> 131072 kern.maxfilesperproc: 104856 -> 104856 kern.threads.max_threads_per_proc: 20480 -> 20480 Starting e2guardian. Shared object "libssl.so.9" not found, required by "e2guardian" /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian'
SEGUE O LOG
-
Olhe os logs do sistema para ver porque o seu e2g não está subindo. Ou execute na console
/use/local/etc/rc d/e2guardian.sh start
A execução do comando retornou o seguinte:
/use/local/etc/rc: not fund
porem quando uso
/usr/local/etc/rc.d/e2guardian.sh start
então retorna
WARNING: failed to start e2guardian
-
faltou o . no que digitei.
tenta isso na console:
killall e2guardian; /usr/local/sbin/e2guardian -N
Esse comando vai rodar o e2guardian em foreground.
-
faltou o . no que digitei.
tenta isso na console:
killall e2guardian; /usr/local/sbin/e2guardian -N
Esse comando vai rodar o e2guardian em foreground.
coloquei o comando e retornou
Shared object "libssl.so.9" not found, required by "e2guardian"
-
Shared object "libssl.so.9" not found, required by "e2guardian"
Certo, está faltando a openssl. você pode instalar ela manualmente com o comando abaixo
pkg install openssl
ou desinstale o e2guardian e instale novamente. Ele é dependência do e2guardian e deveria ter sido instalado durante o processo via interface web.
-
olá tentei instalar o openssl e olha o que retornou
Updating Unofficial repository catalogue…
Fetching meta.txz: . done
Fetching packagesite.txz: . done
Processing entries: . done
Unofficial repository update completed. 9 packages processed.
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'openssl' have been found in the repositories
Tentei também reinstalar o pacote e2guardian, e mesmo assim fala que falta instalar o openssl
seria o caso se pegar o repositorio do mesmo? parece que ele não acha repositorio.
aguardo e obrigado pela ajuda
-
pkg: No packages available to install matching 'openssl' have been found in the repositories
Estava faltando o openssl para o pfSense 2.3.x 32 bits, já estou compilando e subindo para o repositório.
-
Deus do céu, vocês estão a todo vapor, parabéns Marcelloc !!! Colocarei em produção em alguns dias.
-
Eu estou doido para utilizar o pacote, porém eu queria algum pop ou tutorial ensinando como se faz bloqueio, liberação. Um passo a passo de como a ferramenta trabalha.
-
Eu estou doido para utilizar o pacote, porém eu queria algum pop ou tutorial ensinando como se faz bloqueio, liberação. Um passo a passo de como a ferramenta trabalha.
Somos dois então, ansioso! :D