Unofficial E2guardian package for pfSense
-
Hi Marcello,
I ran the system and now I'm doing some tests. When I close the machine and open it, I get this error. services are all started
2. Responsibility is how to redirect https: sites to the block page.Mar 31 10:05:24 php-cgi rc.bootup: [E2guardian] Installed but not started. Not installing 'nat' rules.
Mar 31 10:05:24 kernel pflog0: promiscuous mode enabled
-
I have this screencast cast showing e2guardian options. It's in Portuguese but I think it will help you.
http://sys-squad.com/licao/259
It returns to http://sys-squad.com/login refardless of my understanding portuguese or not ;)
Not that i am not new/familar with e2guardian and dansguardian, but have used it on another firewall solution.
A question is that a long time a go when dansguardian still was maintained is ident on each client and different lists, is this possible today?
-
Awesome, let me know how it goes.
It's working at home too. I have IP authentication enabled, site SSL REGEX and URL MODIFY for all search engines enabled.
Tested with ssl filter and with interception only.
Hmm… Interesting. I have tried with the exact same settings but have been unable to get it working. However, keep in mind that I am using Squid as a upstream proxy. In 4.x I was able to just use SSL Regex and force a group of users onto Youtube Restricted mode. Do you have any idea what it could be? It seems weird. When I try from a mobile and go to m.youtube.com it works after sometime, however it can be bypassed by going incognito. There must be something that broke after the update, it's just not working as well as it used to.
Do you have any suggestions? @Marcelloc
-
A question is that a long time a go when dansguardian still was maintained is ident on each client and different lists, is this possible today?
Weak but possible. If you have control on what runs on client because protocol answers can be easily forged by most ident client.
-
must be something that broke after the update, it's just not working as well as it used to.
Do you have any suggestions? @Marcelloc
Something that I see that changes test results are browsers cache. I guess you can reopen the ticket on e2guardian project to see what developers suggest.
-
http://sys-squad.com/licao/259
It returns to http://sys-squad.com/login refardless of my understanding portuguese or not ;)
The site asks for a register even for free screencasts. It could be translated by the browser or use Facebook or Goole authentication.
-
must be something that broke after the update, it's just not working as well as it used to.
Do you have any suggestions? @Marcelloc
Something that I see that changes test results are browsers cache. I guess you can reopen the ticket on e2guardian project to see what developers suggest.
Re-opened, let's see what they say. It's strange though, you managed to get it working. But I tried with both Chrome and IE, no joy. I even tried messing with setting up the proxy explicitly but it still doesn't work. Even though the client is getting the fake cert.
-
Try with clients on a specific group and on default group.
I'm seeing that some config works better out of default group.If you can, test unrestricted an deny all group mode to see if it's working fine.
-
Try with clients on a specific group and on default group.
I'm seeing that some config works better out of default group.If you can, test unrestricted an deny all group mode to see if it's working fine.
I'm testing Youtube restricted with a specific group, I can't enable the restricted mode on the default group as that would drive all the adults crazy. Anything other than cartoons, or kiddy videos will be blocked on Youtube xD
If it is working for you on the default group. It maybe a problem with the pfSense package and the v5 configuration updates. I have re-opened the issue on Github on the official repo. Let's see what Philip/Frederic come up with.
Thanks for all your hard work Marcello!
-
A question is that a long time a go when dansguardian still was maintained is ident on each client and different lists, is this possible today?
Weak but possible. If you have control on what runs on client because protocol answers can be easily forged by most ident client.
When i come home tomorrow i will enable e2guardian and see and upgrade pfsense too.
-
I'm testing Youtube restricted with a specific group, I can't enable the restricted mode on the default group as that would drive all the adults crazy. Anything other than cartoons, or kiddy videos will be blocked on Youtube xD
Try adding all your network cidr on a group different from default. IIRC, this was one of the tests I did.
-
I'm testing Youtube restricted with a specific group, I can't enable the restricted mode on the default group as that would drive all the adults crazy. Anything other than cartoons, or kiddy videos will be blocked on Youtube xD
Try adding all your network cidr on a group different from default. IIRC, this was one of the tests I did.
Just tried this, unfortunately still no joy on the Desktop. Weird… I have tried multiple machines / VM's, none of them went to restricted mode. I don't know what would be the best way to log if the cname rewriting is working, I guess that would help.
-
A question is that a long time a go when dansguardian still was maintained is ident on each client and different lists, is this possible today?
Weak but possible. If you have control on what runs on client because protocol answers can be easily forged by most ident client.
When i come home tomorrow i will enable e2guardian and see and upgrade pfsense too.
Go for it, I upgraded today to 2.4.3, had to re-install E2 Guardian after the update, but since then it's been running without any major hiccups.
-
I am glad the maintainer of this modification and you are so active and actually use it too ;)
-
I wonder also if this e2guardian upgrades to the latest 5.0 beta ?
This upstream proxy in beta 5.0 will be useful for me because of HTTPSproxy and privoxy.
If you do not download the certificate it do not matter you can still browse internet but not be able to filter https but it filter ads on http. -
I wonder also if this e2guardian upgrades to the latest 5.0 beta ?
This upstream proxy in beta 5.0 will be useful for me because of HTTPSproxy and privoxy.
If you do not download the certificate it do not matter you can still browse internet but not be able to filter https but it filter ads on http.Yes, they are from the latest 5.0 version. Beta but much more stable then 4.1
-
Can you check out if this is real or fake squidblacklist
-
Can you check out if this is real or fake squidblacklist
Looks interesting, currently by default we're using ShallaList. If this one is better, it may be worth thinking about switching. Even though E2 Guardian does content scanning, having a good black list means it can save resources. If there are any blacklisted sites, it will block it immediately without spending precious CPU resources scanning the contents of the page.
@Marcelloc, what do you think? I know you've got a little VM environment setup for testing, would this work without causing any major issues? I'd try it myself, but I am out today, and have work tomorrow as the holidays are over.
-
E2guardian list is returning a 404 but the squid link ok.
https://www.squidblacklist.org/downloads/squid-malicious.acl
to use on e2guardian, just remove the fist . of each line.
this script will fetch the file and remove the .
#!/bin/sh list=/usr/local/etc/e2guardian/lists/squidblacklist.list /usr/bin/fetch -o $list https://www.squidblacklist.org/downloads/dg-malicious.acl /usr/local/sbin/e2guardian -QYou can save this script on your pfsense and update it every day for example.
On e2guardian config, include it on your acl with this line
.Include
-
E2guardian list is returning a 404 but the squid link ok.
https://www.squidblacklist.org/downloads/squid-malicious.acl
to use on e2guardian, just remove the fist . of each line.
this script will fetch the file and remove the .
#!/bin/sh list=/usr/local/etc/e2guardian/lists/squidblacklist.list /usr/bin/fetch -o $list https://www.squidblacklist.org/downloads/dg-malicious.acl /usr/local/sbin/e2guardian -QYou can save this script on your pfsense and update it every day for example.
On e2guardian config, include it on your acl with this line
.Include
I think it maybe best to wait for them to fix the issue before diving in. On first glance, how does it compare to ShallaList? Better?
