Unofficial E2guardian package for pfSense
-
Change log folder permissions to fix 'Error opening/creating log '
chmod 755 /var/log/e2guardian
This is already fixed on the repository but I did not had time to build the package with the fix.
https://github.com/marcelloc/Unofficial-pfSense-packages/commit/6d05335a361b0728c92d58f702c59942f929223a
https://github.com/marcelloc/Unofficial-pfSense-packages/commit/87f7d85500cfc9fd727755caf0af0f048dc33c47
-
So I completely re-did everything from scratch without any restoration, and now E2Guardian installed and seems to be running as it is. It just goes to show that reinstallation wasn't properly cleaning out old files and whatnot.
I really hope this is the end of the problems, spent hours re-doing my entire home network, can you imagine if it was a business…Holy sh**.
-
Knew it was too good to be true…When enabling MITM E2Guardian crashes and I get this message...
Jul 17 18:07:29 e2guardian 37635 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/89/10/A3/ Jul 17 18:08:21 e2guardian 42062 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/ Jul 17 18:08:21 e2guardian 42062 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/E7/68/28/ Jul 17 18:08:43 e2guardian 38076 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/EE/A5/29/ Jul 17 18:08:50 e2guardian 44549 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/EE/A5/29/ Jul 17 18:09:04 e2guardian 50240 I seem to be running already! Jul 17 18:09:05 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 18:09:05 e2guardian 50373 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/EE/A5/29/ Jul 17 18:09:05 e2guardian 50373 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/EE/A5/29/ Jul 17 18:09:21 e2guardian 55323 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/EE/A5/29/ Jul 17 18:09:21 e2guardian 55323 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/EE/A5/29/ Jul 17 18:09:36 e2guardian 58136 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/EE/A5/29/ Jul 17 18:10:49 e2guardian 89063 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/34/C2/56/ Jul 17 18:10:58 e2guardian 59576 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jul 17 18:11:08 e2guardian 41367 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jul 17 18:11:21 e2guardian 44722 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/34/C2/56/ Jul 17 17:12:01 check_reload_status Syncing firewall
Changed permissions to 775, now working. This shouldn't be happening…It's been reported (and fixed?) I thought.
EDIT: Why do the unofficial packages keep disappearing off the "installed packages" widget? I noticed this mainly when I started using Multi-Wan, but strange because it doesn't seem to effect official packages, they show up just fine.
From now on I suggest you keep a old pfSense VM, which you don't wipe out everytime you test E2Guardian, instead one which you keep upgrading to the latest version. That's what most users will be doing, no one actually has the time to keep re-doing their entire network. It maybe quick on a VM, but in a production environment, it can take ages.
Static IP setup, WPAD setup, E2Guardian setup, any bandwidth limit setup, NATs, port forwards, rules….Etc, you get the idea, it becomes complicated and time consuming. -
Hey guys,
I am a newbie here and don't know much, but I noticed the error listings in those log files.
I had the same trouble. I figured out there is a problem with file and or directory permissions.
I figured out how to change permissions and things worked a lot better. And that is with MITM working. -
Awesome if you can properly add this. I can improve my block page further and push it out on Github.
Just added to my project on github
https://github.com/marcelloc/Unofficial-pfSense-packages/commit/dbe1d3fcb865b58e08cd2ed0be1a349f6321a45d
-
Knew it was too good to be true…When enabling MITM E2Guardian crashes and I get this message...
Jul 17 18:07:29 e2guardian 37635 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/89/10/A3/
Changed permissions to 775, now working. This shouldn't be happening…It's been reported (and fixed?) I thought.
Fix file permissions on system instead of reinstalling it. I'll push a new version with permission fixes, categories on blacklist files and a warning when you have .Include lines on default e2guardian config files that are not present on filesystem.
EDIT: Why do the unofficial packages keep disappearing off the "installed packages" widget? I noticed this mainly when I started using Multi-Wan, but strange because it doesn't seem to effect official packages, they show up just fine.
I have no idea. The repo files are there. I never saw github offline.
From now on I suggest you keep a old pfSense VM, which you don't wipe out everytime you test E2Guardian, instead one which you keep upgrading to the latest version. That's what most users will be doing, no one actually has the time to keep re-doing their entire network. It maybe quick on a VM, but in a production environment, it can take ages.
Static IP setup, WPAD setup, E2Guardian setup, any bandwidth limit setup, NATs, port forwards, rules….Etc, you get the idea, it becomes complicated and time consuming.What I understood from other posts you did it to see if a clean install will not core dump you SO every 5 days. There is no need to clean and redo all configuration every time.
I'm improving the package and applying every binary fixes form e2guardian project to pfSense package. So, some times, while trying to improve or fix something may get a regression on other part. The 3.5.1 package version is the same for a long time as I understand it's in a stable state with as much as v3.5 can offer.According to e2guardian project, v5 will be there soon and since it gets available, I'll stop improving v4 package and start migrating gui and conf files to v5 and I hope the transparent ssl gets implemented as soon as v5 is released.
This project is really big and take me a lot of free time to maintain until it gets stable and complete enough for a pull request on official repo.
I'm also the maintainer of the e2guardian port on freebsd ports.
-
Pushed 0.4.2.6 to Unofficial repo.
This version includes:
-
Categories on blacklist files
-
Fix file permission regression
-
Check for missing include files selected from default sample e2guardian config files on acl save.
-
E2guardian binary version 4.1.2
If you have any issues updating, installing or reinstalling, check on console or system logs what errors you are receiving.
if its related to permissions, try
chmod 755 /usr/local/etc/e2guardian/ssl chmod 755 /var/log/e2guardian
if you get config dirs missing or openssl libs, try to force a binaries package reinstall from console with
pkg install -f e2guardian
Do not forget to apply the blacklist, check config on gui, save and apply.
-
-
Pushed 0.4.2.6 to Unofficial repo.
This version includes:
-
Categories on blacklist files
-
Fix file permission regression
-
Check for missing include files selected from default sample e2guardian config files on acl save.
-
E2guardian binary version 4.1.2
If you have any issues updating, installing or reinstalling, check on console or system logs what errors you are receiving.
if its related to permissions, try
chmod 755 /usr/local/etc/e2guardian/ssl chmod 755 /var/log/e2guardian
if you get config dirs missing or openssl libs, try to force a binaries package reinstall from console with
pkg install -f e2guardian
Do not forget to apply the blacklist, check config on gui, save and apply.
So I just upgraded to the latest 0.4.2.6, via the upgrade button on package manager. Immediately after the upgrade finished I downloaded the black list again, and re applied the configuration. Then I tried going to a blocked site to see it the black list categories showed… To my surprise nope. So I tried completely uninstalling and installing again, then checked the black listed sites again. Still no joy.
Reinstalled again, tried again, no categories shown on black list still... So then I decided to completely stop E2Guardian. So I unchecked the checkmark which says "Enable or disable E2Guardian service", and turned off the watch dog script. To my surprise, E2 Guardian was still running even after re-applying configuration.
This told me that the process wasn't being properly killed. I confirmed this by going to SSH and typing "top". And yep, E2 Guardian was still running when it shouldn't be, I killed it using the process ID.
Enabled E2Guardian from the GUI and enabled watch dog, went to a black listed sites and categories finally showed. However, very unclearly. It says said "porn" it should say Category: Porn clearly but that is a minor thing and can be fixed in the future.The problem I faced means a couple of things Marcello:
-
When upgrading old E2 Guardian isn't killed off before carrying out the update, which may lead to some files not correctly updating because they're in use or cause corruption. (Thought you addressed this before?)
-
Somehow you must make sure that old files are ALWAYS deleted off while retaining configs, by this I mean old binaries and left over junk (even phrase lists should always reinstall) in case of any updates.
-
Clean installing E2Guardian for the first time vs upgrading shouldn't cause problems. Because on my old install I upgraded from 3.5.1 and all test versions, many things may have become corrupted and I was getting core dumps. After a clean reinstall it seems better however I am worried I'll be in the same situation again. Therefore please make sure that you can do what you can go make sure files, update correctly and aren't getting corrupted. I will support you as much as I can but I need you to understand that by the word "Consistency" I mean old installs upgrading should work just as well as clean fresh installs on a pfsense box which never had E2Guardian before.
I hope I've been clear, and I'd like to clarify that I really want E2Guardian to work and be a real solution to filtering on pfSense, but I hope you also understand that we can't still have basic problems like permission issues. When something is reported and supposedly fixed, it should stay fixed. :p
Despite everything, you deserve thanks and appreciation for all your hard work. I know it's a big project, and I've even contributed some commits to help stop some overblocking yesterday.
I'm willing to help you as much as I can, however could you please try to make sure that consistency is maintained as much as possible. So that people upgrading from older versions of E2 Guardian get the same experience as people installing it fresh (without any problems or having to keep reinstalling). -
-
Just updated on one of the e2guardian installations I have and blacklist category was applied to files after clicking "Re-apply current blacklist" without any other hack or pkg changes.
tail -1 /usr/local/etc/e2guardian/lists/blacklists/*/domains
==> /usr/local/etc/e2guardian/lists/blacklists/adv/domains <== #listcategory: "adv" ==> /usr/local/etc/e2guardian/lists/blacklists/aggressive/domains <== #listcategory: "aggressive" ==> /usr/local/etc/e2guardian/lists/blacklists/alcohol/domains <== #listcategory: "alcohol" ==> /usr/local/etc/e2guardian/lists/blacklists/anonvpn/domains <== #listcategory: "anonvpn" ==> /usr/local/etc/e2guardian/lists/blacklists/chat/domains <== #listcategory: "chat" ==> /usr/local/etc/e2guardian/lists/blacklists/costtraps/domains <== #listcategory: "costtraps" ==> /usr/local/etc/e2guardian/lists/blacklists/dating/domains <== #listcategory: "dating" ==> /usr/local/etc/e2guardian/lists/blacklists/downloads/domains <== #listcategory: "downloads" ==> /usr/local/etc/e2guardian/lists/blacklists/drugs/domains <== #listcategory: "drugs" ==> /usr/local/etc/e2guardian/lists/blacklists/dynamic/domains <== #listcategory: "dynamic" ==> /usr/local/etc/e2guardian/lists/blacklists/fortunetelling/domains <== #listcategory: "fortunetelling" ==> /usr/local/etc/e2guardian/lists/blacklists/forum/domains <== #listcategory: "forum" ==> /usr/local/etc/e2guardian/lists/blacklists/gamble/domains <== #listcategory: "gamble" ==> /usr/local/etc/e2guardian/lists/blacklists/government/domains <== #listcategory: "government" ==> /usr/local/etc/e2guardian/lists/blacklists/hacking/domains <== #listcategory: "hacking" ==> /usr/local/etc/e2guardian/lists/blacklists/homestyle/domains <== #listcategory: "homestyle" ==> /usr/local/etc/e2guardian/lists/blacklists/hospitals/domains <== #listcategory: "hospitals" ==> /usr/local/etc/e2guardian/lists/blacklists/imagehosting/domains <== #listcategory: "imagehosting" ==> /usr/local/etc/e2guardian/lists/blacklists/isp/domains <== #listcategory: "isp" ==> /usr/local/etc/e2guardian/lists/blacklists/jobsearch/domains <== #listcategory: "jobsearch" ==> /usr/local/etc/e2guardian/lists/blacklists/library/domains <== #listcategory: "library" ==> /usr/local/etc/e2guardian/lists/blacklists/military/domains <== #listcategory: "military" ==> /usr/local/etc/e2guardian/lists/blacklists/models/domains <== #listcategory: "models" ==> /usr/local/etc/e2guardian/lists/blacklists/movies/domains <== #listcategory: "movies" ==> /usr/local/etc/e2guardian/lists/blacklists/music/domains <== #listcategory: "music" ==> /usr/local/etc/e2guardian/lists/blacklists/news/domains <== #listcategory: "news" ==> /usr/local/etc/e2guardian/lists/blacklists/podcasts/domains <== #listcategory: "podcasts" ==> /usr/local/etc/e2guardian/lists/blacklists/politics/domains <== #listcategory: "politics" ==> /usr/local/etc/e2guardian/lists/blacklists/porn/domains <== #listcategory: "porn" ==> /usr/local/etc/e2guardian/lists/blacklists/radiotv/domains <== #listcategory: "radiotv" ==> /usr/local/etc/e2guardian/lists/blacklists/redirector/domains <== #listcategory: "redirector" ==> /usr/local/etc/e2guardian/lists/blacklists/religion/domains <== #listcategory: "religion" ==> /usr/local/etc/e2guardian/lists/blacklists/remotecontrol/domains <== #listcategory: "remotecontrol" ==> /usr/local/etc/e2guardian/lists/blacklists/ringtones/domains <== #listcategory: "ringtones" ==> /usr/local/etc/e2guardian/lists/blacklists/searchengines/domains <== #listcategory: "searchengines" ==> /usr/local/etc/e2guardian/lists/blacklists/shopping/domains <== #listcategory: "shopping" ==> /usr/local/etc/e2guardian/lists/blacklists/socialnet/domains <== #listcategory: "socialnet" ==> /usr/local/etc/e2guardian/lists/blacklists/spyware/domains <== #listcategory: "spyware" ==> /usr/local/etc/e2guardian/lists/blacklists/tracker/domains <== #listcategory: "tracker" ==> /usr/local/etc/e2guardian/lists/blacklists/updatesites/domains <== #listcategory: "updatesites" ==> /usr/local/etc/e2guardian/lists/blacklists/urlshortener/domains <== #listcategory: "urlshortener" ==> /usr/local/etc/e2guardian/lists/blacklists/violence/domains <== #listcategory: "violence" ==> /usr/local/etc/e2guardian/lists/blacklists/warez/domains <== #listcategory: "warez" ==> /usr/local/etc/e2guardian/lists/blacklists/weapons/domains <== #listcategory: "weapons" ==> /usr/local/etc/e2guardian/lists/blacklists/webmail/domains <== #listcategory: "webmail" ==> /usr/local/etc/e2guardian/lists/blacklists/webphone/domains <== #listcategory: "webphone" ==> /usr/local/etc/e2guardian/lists/blacklists/webradio/domains <== #listcategory: "webradio" ==> /usr/local/etc/e2guardian/lists/blacklists/webtv/domains <== #listcategory: "webtv"
Enabled E2Guardian from the GUI and enabled watch dog, went to a black listed sites and categories finally showed. However, very unclearly. It says said "porn" it should say Category: Porn clearly but that is a minor thing and can be fixed in the future.
I guess it's better to include the 'Category:' on html template.
-
Just updated on one of the e2guardian installations I have and blacklist category was applied to files after clicking "Re-apply current blacklist" without any other hack or pkg changes.
Being applied is one thing, and it actually taking effect when you go to a blacklisted website is another. In my case it seemed like the categories were in fact applied, however, since the E2Guardian daemon wasn't killed and the old daemon was running from memory. I could still visit black listed domains and not get the categories to show.
Therefore, what I am trying to say is, why did I have to manually actually kill E2Guardian via SSH to make it show the categories? Why wasn't unticking the "Enable E2Guardian" check-mark or any of the GUI stuff enough to make E2Guardian process stop? Even reinstallation, and uninstallation of E2Guardian didn't stop it.
Enabled E2Guardian from the GUI and enabled watch dog, went to a black listed sites and categories finally showed. However, very unclearly. It says said "porn" it should say Category: Porn clearly but that is a minor thing and can be fixed in the future.
I guess it's better to include the 'Category:' on html template.
Oops my bad, I will do that. However, I will push out some commits to your repo to make things a little more professional. :)
By the way, so far everything has been far more stable. I've pushed over 120GB through the proxy without issues so far, hope everything lasts. Even after I upgrade E2Guardian.If this works well, I will definitely start deploying it out. The only problems I see with E2Guardian now is those small errors with permissions and whatnot, which you say are now fixed.
And the other problem I see is that the phraselists are pretty old, and haven't been updated since years… Maybe those need a little checking up on by E2Guardian devs. I will try bring this to their attention. It works well still, however in some small cases it can overblock, but I've pushed a commit out to official repo which should help resolve those issues with problematic phraselists.I have two questions for you Marcello:
So as you know, I've fully clean installed my pfSense production box. And upgraded E2Guardian from 12 to 13. If I keep upgrading, do you think you've got things to a state where I won't have random corruption issues? Also the fact that E2Guardian after my upgrade was running, is some cause for concern which shouldn't be dismissed. If E2Guardian is updating, all instances of the old process should be killed, then the upgrade should take place.
The second question I have is:
Could you explain what each sections mean in the E2Guardian widget? And how many HTTP workers is 'enough' and how can I actually tell. Because the requests column sometimes shows over 1k. I don't know if that means all the workers are busy or not. I know there's a 'busy' column but it's a bit daunting and confusing just to look at and understand.
-
Being applied is one thing, and it actually taking effect when you go to a blacklisted website is another. In my case it seemed like the categories were in fact applied, however, since the E2Guardian daemon wasn't killed and the old daemon was running from memory. I could still visit black listed domains and not get the categories to show.
I did not had to kill or restart, just apply config as binaries was already ok to show categories. The missing part was to adapt shallist to have the category line inside it. The documentation says that -Q arg will kill(not kill -9) all current instances and start new one. This is the default options and I'm using it in 4 different networks without strange behaviors.
-
Being applied is one thing, and it actually taking effect when you go to a blacklisted website is another. In my case it seemed like the categories were in fact applied, however, since the E2Guardian daemon wasn't killed and the old daemon was running from memory. I could still visit black listed domains and not get the categories to show.
I did not had to kill or restart, just apply config as binaries was already ok to show categories. The missing part was to adapt shallist to have the category line inside it. The documentation says that -Q arg will kill(not kill -9) all current instances and start new one. This is the default options and I'm using it in 4 different networks without strange behaviors.
I think it is safe to say that if people uninstall E2Guardian, they actually want it to stop running. So in that case why did the daemon stay running? -Q didn't seem to be enough to actually apply changes to the blacklist. Which is weird, I had to forcefully kill the client.
Anyhow, everything seems fine for me now. However, I am only bringing it up to stop newer people installing E2Guardian running into these same issues, and to avoid problems when upgrading.
EDIT: It's really amazing to see the categories finally working. However they need a few changes, such as capital letters. Below it should say "Gambling" not "gamble".
PS: Ignore the IP being shown twice. After device it is meant to show hostname, it doesn't seem to work with my PC, but works well with IOS devices for example. -
Marcelloc
Maybe your hardware is faster than the one of pfsensation making the kill fast enough to finish on time before the file replacements. Pfsensation maybe is getting a race condition in his harware and the kill is to slow overlaping some instances with the file replacement.
Can you add a step in rhe update script to make sure all instances were killed or aborted before doing the file replacement? Thus avoiding any race condition no matter the hardware.
-
Marcelloc
Maybe your hardware is faster than the one of pfsensation making the kill fast enough to finish on time before the file replacements. Pfsensation maybe is getting a race condition in his harware and the kill is to slow overlaping some instances with the file replacement.
Can you add a step in rhe update script to make sure all instances were killed or aborted before doing the file replacement? Thus avoiding any race condition no matter the hardware.
I am suggesting exactly that! For a command when upgrading or uninstalling to actually kill the client and to have it force restarted. As regards to hardware… I am rocking a Dual Core at 3.1GHz, since I am using this at home for a handful of devices. It seems to handle everything just fine, and usage usually stays quite low. Load averages are usually around 0.20 max, unless downloading and caching massive content with Squid caching in realtime which it can go up slightly. I don't exactly know what it is, but I know for sure, E2Guardian must be gone when uninstalled.
-
I got a report from e2guardian on freebsd11 ( not pfSense) of some zumbie process that keeps running after the stop call.
This is something that will be really hard to identify as e2guardian developers do it on Linux.
I'm started studying c++ but will take a lot of time to ve good enough to debug threads.
Try changing the apply action on daemon tab to use stop and start instead o -G call.
-
I got a report from e2guardian on freebsd11 ( not pfSense) of some zumbie process that keeps running after the stop call.
This is something that will be really hard to identify as e2guardian developers do it on Linux.
I'm started studying c++ but will take a lot of time to ve good enough to debug threads.
Try changing the apply action on daemon tab to use stop and start instead o -G call.
It's already on stop and start by default. However I don't think that's working. For now I think one workaround you could add is a script to run and kill off all E2Guardian processes when "enabled E2Guardian" is unchecked. And also to kill all processes before upgrades. But yeah processing not being killed causes some issues, sometimes configuration updates are not taking effect, despite the stop and start option being selected on apply.
-
It's already on stop and start by default. However I don't think that's working.
How many time did you used the -Q option? This is the option I'm using since this field was added to gui.
It's a demon option to kill all running instances and start new ones.
Try it on console and see what it returns to you.
/usr/local/sbin/e2guardian -Q
-
if i may say, this package is not much really that helpful without its installation and setup guide.
-
if i may say, this package is not much really that helpful without its installation and setup guide.
This is a tutorial in Portuguese with basic setup instructions and some screenshots
https://eliasmoraispereira.wordpress.com/2017/06/21/pfsense-proxy-transparente-mitm-no-modo-splice-all-com-squid-e2guardian/
https://github.com/e2guardian/e2guardian/wiki
As almost all pfSense packages, configure it checking tabs and options from left to right.
The package installs a blacklist to make things easier, all you have to do is understand what a content filter do and follow the tabs.
suggestion: start with ip based authentication.
-
It's already on stop and start by default. However I don't think that's working.
How many time did you used the -Q option? This is the option I'm using since this field was added to gui.
It's a demon option to kill all running instances and start new ones.
Try it on console and see what it returns to you.
/usr/local/sbin/e2guardian -Q
I'm confused. My apply action is set up "Kill all running copies and start a new one". Isn't this what you're referring to? There's no -Q option in the GUI.
Edit: will e2 guardian work fine on the new pfsense 2.3.1_1? Everything has been stable since I've reinstalled. Don't want to screw it up again without knowing for sure any problems that arise are dealt with before hand.