Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unofficial E2guardian package for pfSense

    Scheduled Pinned Locked Moved Cache/Proxy
    1.2k Posts 70 Posters 1.4m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ravegen
      last edited by

      Marcelloc, what auth plugins ip address ?

      Why are some options have (on) and some are (off) ? 
      What does on and off means there ?

      Also I checked on console e2guardian -version,  it only show '–enable-sslmitm' and not '--enable-sslmitm=yes', does that mean e2guardian installation does not support SSL traffic interception ?

      Running in debug mode…
      e2guardian 5.1.0

      Built with:  '--localstatedir=/var' '--with-logdir=/var/log' '--with-piddir=/var/run' '--with-zlib=/usr' '--enable-fancydm' '--disable-clamd' '--disable-commandline' '--with-dgdebug=on' '--enable-dnsauth' '--disable-email' '--enable-icap' '--disable-kavd' '--enable-ntlm' '--enable-sslmitm' '--enable-trickledm' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.1' 'build_alias=amd64-portbld-freebsd11.1' 'CXX=c++' 'CXXFLAGS=-pipe  -I/usr/local/include -D__SSLMITM -D__SSLCERT -DLIBICONV_PLUG -g -fstack-protector -fno-strict-aliasing  -DLIBICONV_PLUG -std=c++11' 'LDFLAGS= -lssl -lcrypto -fstack-protector' 'LIBS=' 'CPPFLAGS=-I/usr/local/include -DLIBICONV_PLUG' 'CC=cc' 'CFLAGS=-pipe  -I/usr/local/include -D__SSLMITM -D__SSLCERT -DLIBICONV_PLUG -g -fstack-protector -fno-strict-aliasing' 'CPP=cpp' 'PKG_CONFIG=pkgconf'

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        @ravegen:

        Marcelloc, what auth plugins ip address ?

        Check groups based on clients IP address.

        @ravegen:

        Why are some options have (on) and some are (off) ? 
        What does on and off means there ?

        on and off are the default config options. Check all (on) options to use setup defaults. Most are selected automatically on package install. Any option you select, will be enabled on config files.

        @ravegen:

        Also I checked on console e2guardian -version,  it only show '–enable-sslmitm' and not '--enable-sslmitm=yes', does that mean e2guardian installation does not support SSL traffic interception ?

        It has traffic interception compiled. Select the CA under daemon tab to enable check certificate sites (splice all feature on squid) and Filter SSL under group options to intercept the connection with MTIM(requires the CA installed on clients browser to work correctly)

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • R
          ravegen
          last edited by

          Marcelloc, is it fine to create the INTERNAL CA using pfsense system/certificate manager/CAs    OR  should it be done thru console as you have said here https://github.com/e2guardian/e2guardian/wiki/MITM–-Filtering-HTTPS, Generating the necessary SSL certs.

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            Create from GUI (system/certificate manager/CAs). On pfSense, there is no need to create certificates under console.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • R
              ravegen
              last edited by

              Thanks for confirming.

              Another thing is:

              1.  If I download the shallalist, how will I know that it is done downloaded aside from the message prompt ?

              2.  In the Group Menu, the is this Pics (option) under Access List ,  where is that Pics in the ACL ?

              PS:  Even if I uncheck / disable the E2Guardian in the daemon page, it still shows STARTED / RUNNING on the status/services.

              1 Reply Last reply Reply Quote 0
              • R
                ravegen
                last edited by

                Marcelloc,

                I have followed your youtube example, I create the CA on pfsense gui, I selected filter ssl sites forging ssl certificate, save, and applied,
                but when I visit https sites, I get the following error on my chrome browser.  I am using 2.4.3 pfsense version.

                I even tried install the CA cert on my browser but still the same error.

                Your connection is not private
                Attackers might be trying to steal your information from forum.pfsense.org (for example, passwords, messages, or credit cards). Learn more
                NET::ERR_CERT_AUTHORITY_INVALID

                Automatically send some system information and page content to Google to help detect dangerous apps and sites.

                UPDATE 5.14.2018 3:45pm :

                Since I am getting this error above, I tried to shutdown my chrome browser.  And I tried again surfing https sites, and it is ok now.
                So Marcelloc,  does this mean, I need to install the CA certificate on client browsers ?

                1 Reply Last reply Reply Quote 0
                • marcellocM
                  marcelloc
                  last edited by

                  Option 1 Select the CA under daemon tab to enable check certificate sites (splice all feature on squid). No certificate is required on client.

                  Option 2 select option1 and Filter SSL under group options to intercept the connection with MTIM(requires the CA installed on clients browser to work correctly)

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • R
                    ravegen
                    last edited by

                    @marcelloc:

                    Option 1 Select the CA under daemon tab to enable check certificate sites (splice all feature on squid). No certificate is required on client.

                    Option 2 select option1 and Filter SSL under group options to intercept the connection with MTIM(requires the CA installed on clients browser to work correctly)

                    Yes I have selected the CA under daemon tab.  What is option1?  I have also selected Filter SSL under group options.  I have followed all in your youtube video sample.

                    However, I have resolved it by installing the CA certificate on client browsers.  But I need it to be that I don't need to install the CA cert on the client browsers.

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      You can configure ssl with or without interception. Follow option 1 to only check certificate but do not intercept
                      Follow option 2 to check certificate and intercept connection.

                      If you do not want to install certificate on client, do not enalbe filter ssl on group options.

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • R
                        ravegen
                        last edited by

                        @marcelloc:

                        You can configure ssl with or without interception. Follow option 1 to only check certificate but do not intercept
                        Follow option 2 to check certificate and intercept connection.

                        If you do not want to install certificate on client, do not enalbe filter ssl on group options.

                        Like I said, I have done option 2, which is selecting the filter SSL in group options.  That is why I wonder what is lacking in what I have followed.  I have checked the configurations more than 10 times already.

                        1 Reply Last reply Reply Quote 0
                        • R
                          ravegen
                          last edited by

                          marcelloc, is there a possibility that on your youtube, you have installed CA in your browser?

                          1 Reply Last reply Reply Quote 0
                          • marcellocM
                            marcelloc
                            last edited by

                            Sarg package is alive again on unofficial repo to create e2guardian reports.

                            As I updated repository structure recently, update the repository file before package installation.

                            fetch -q -o /usr/local/etc/pkg/repos/Unofficial.conf https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/Unofficial.conf
                            

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • R
                              ravegen
                              last edited by

                              Marcelloc,

                              I have reinstall pfsense again awhile ago and followed your youtube again up to the point where you deselected Filter SSL in group options.  In your example, when you browsed facebook, it should err_ssl_protocol_error  but on my case, it still opened facebook site even I restart my Chrome browser.

                              UPDATE1:  I have fixed this err_ssl_protocol_error by setting my ip address configuration of my computer to automatic.  However, my new problem is back to

                              Your connection is not private
                              Attackers might be trying to steal your information from forum.pfsense.org (for example, passwords, messages, or credit cards). Learn more
                              NET::ERR_CERT_AUTHORITY_INVALID

                              Automatically send some system information and page content to Google to help detect dangerous apps and sites.

                              Please advice Marcelloc.

                              1 Reply Last reply Reply Quote 0
                              • marcellocM
                                marcelloc
                                last edited by

                                @ravegen:

                                NET::ERR_CERT_AUTHORITY_INVALID

                                This means you are on the same point as 3 posts before.

                                Do not select Filter ssl sites forging SSL certificates if you do not have firewall CA installed on your client's browser.

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                Y 1 Reply Last reply Reply Quote 0
                                • R
                                  ravegen
                                  last edited by

                                  @marcelloc:

                                  @ravegen:

                                  NET::ERR_CERT_AUTHORITY_INVALID

                                  This means you are on the same point as 3 posts before.

                                  Do not select Filter ssl sites forging SSL certificates if you do not have firewall CA installed on your client's browser.

                                  Sure I can deselect Filter SSL Sites forging SSL Certificates but doing so will get me err_ssl_protocol_error.

                                  This site can’t provide a secure connection
                                  www.facebook.com sent an invalid response.
                                  Try running Windows Network Diagnostics.
                                  ERR_SSL_PROTOCOL_ERROR

                                  UPDATE 1:

                                  So I read that Splice All:
                                  This configuration is suitable if you want to use the SquidGuard package for web filtering.
                                  All destinations will be spliced. SquidGuard can do its job of denying or allowing destinations according its rules, as it does with HTTP.
                                  You do not need to install the CA certificate configured below on clients.

                                  And it is mentioned that E2Guardian SSL interception is "Option 1 Select the CA under daemon tab to enable check certificate sites (splice all feature on squid). No certificate is required on client."

                                  And also in the youtube video, before you selected the Filter SSL Sites forging SSL Certificates, you also got err_ssl_protocol_error while surfing to facebook and youtube.com

                                  I can only think of two things:
                                  1.  You need to install the CA on client browser and select Filter SSL Sites forging SSL Certificates OR
                                  2.  There is something broken with E2Guardian as it does not do MITM (SSL Interception)

                                  My goal here is to do http and https mitm ssl interception without having to install CA on client browsers.

                                  1 Reply Last reply Reply Quote 0
                                  • marcellocM
                                    marcelloc
                                    last edited by

                                    @ravegen:

                                    I can only think of two things:
                                    1.  You need to install the CA on client browser and select Filter SSL Sites forging SSL Certificates OR
                                    2.  There is something broken with E2Guardian as it does not do MITM (SSL Interception)

                                    Nothing is broken on e2guardian. All you need is to understand how ssl proxy/filtering/secure connections works just like e2guardian team answered you on github.

                                    If you do not intercept with MITM, there is no way to show a denied error on ssl conections. All any proxy/firewall can do is reject a ssl connection when the site certificate has an fqdn that is denied on your acls. When it happens all the browser can tell you is show you the protocol error message.

                                    Treinamentos de Elite: http://sys-squad.com

                                    Help a community developer! ;D

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      ravegen
                                      last edited by

                                      so to conclude, we really need to install CA cert on client browser for MITM to work and no other way.

                                      1 Reply Last reply Reply Quote 0
                                      • marcellocM
                                        marcelloc
                                        last edited by

                                        @ravegen:

                                        so to conclude, we really need to install CA cert on client browser for MITM to work and no other way.

                                        NO!!!!!!

                                        There is a really BIG difference between INVALID CERTIFICATE and CONNECTION REFUSED/FAILED.

                                        Please, read the documentation e2guardian team sent to you, seriously .

                                        https://openschoolsolutions.org/pfsense-web-filter-filter-https-squidguard/

                                        Treinamentos de Elite: http://sys-squad.com

                                        Help a community developer! ;D

                                        1 Reply Last reply Reply Quote 0
                                        • R
                                          ravegen
                                          last edited by

                                          like I said, i followed your youtube video but in the end, i got error, that is why i asked you if you have preinstalled CA in your browser.

                                          1 Reply Last reply Reply Quote 0
                                          • U
                                            ucribrahim
                                            last edited by

                                            Hi marcello,

                                            I need help so much or advice. I want to use different blacklist not shallalist. So the blacklist that I use, it has same structure as shallalist. I try to download the blacklist but I get this error " E2guardian - Could not determine Blacklist extract dir. Categories not updated ". I searched so many times and tried so many ways to get it work. But I couldn't make the my blacklist work.

                                            Shallalist working well, but I need use different blacklist as I said above. I put the blacklist categories into the /usr/local/etc/e2guardian/lists/blacklists or BL directory. But when I go to E2guardian > Site Lists > create a new one and I still see the old shallalist categories. I can't see new categories.

                                            The problem is seeing old shallalist categories.

                                            Please I need some advice. Thanks.

                                            ” Online pfSense Firewall & Router Eğitimi | www.udemy.com/pfsense-training “

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.