Unofficial E2guardian package for pfSense
-
You can configure ssl with or without interception. Follow option 1 to only check certificate but do not intercept
Follow option 2 to check certificate and intercept connection.If you do not want to install certificate on client, do not enalbe filter ssl on group options.
Like I said, I have done option 2, which is selecting the filter SSL in group options. That is why I wonder what is lacking in what I have followed. I have checked the configurations more than 10 times already.
-
marcelloc, is there a possibility that on your youtube, you have installed CA in your browser?
-
Sarg package is alive again on unofficial repo to create e2guardian reports.
As I updated repository structure recently, update the repository file before package installation.
fetch -q -o /usr/local/etc/pkg/repos/Unofficial.conf https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/Unofficial.conf
-
Marcelloc,
I have reinstall pfsense again awhile ago and followed your youtube again up to the point where you deselected Filter SSL in group options. In your example, when you browsed facebook, it should err_ssl_protocol_error but on my case, it still opened facebook site even I restart my Chrome browser.
UPDATE1: I have fixed this err_ssl_protocol_error by setting my ip address configuration of my computer to automatic. However, my new problem is back to
Your connection is not private
Attackers might be trying to steal your information from forum.pfsense.org (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALIDAutomatically send some system information and page content to Google to help detect dangerous apps and sites.
Please advice Marcelloc.
-
NET::ERR_CERT_AUTHORITY_INVALID
This means you are on the same point as 3 posts before.
Do not select Filter ssl sites forging SSL certificates if you do not have firewall CA installed on your client's browser.
-
NET::ERR_CERT_AUTHORITY_INVALID
This means you are on the same point as 3 posts before.
Do not select Filter ssl sites forging SSL certificates if you do not have firewall CA installed on your client's browser.
Sure I can deselect Filter SSL Sites forging SSL Certificates but doing so will get me err_ssl_protocol_error.
This site can’t provide a secure connection
www.facebook.com sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERRORUPDATE 1:
So I read that Splice All:
This configuration is suitable if you want to use the SquidGuard package for web filtering.
All destinations will be spliced. SquidGuard can do its job of denying or allowing destinations according its rules, as it does with HTTP.
You do not need to install the CA certificate configured below on clients.And it is mentioned that E2Guardian SSL interception is "Option 1 Select the CA under daemon tab to enable check certificate sites (splice all feature on squid). No certificate is required on client."
And also in the youtube video, before you selected the Filter SSL Sites forging SSL Certificates, you also got err_ssl_protocol_error while surfing to facebook and youtube.com
I can only think of two things:
1. You need to install the CA on client browser and select Filter SSL Sites forging SSL Certificates OR
2. There is something broken with E2Guardian as it does not do MITM (SSL Interception)My goal here is to do http and https mitm ssl interception without having to install CA on client browsers.
-
I can only think of two things:
1. You need to install the CA on client browser and select Filter SSL Sites forging SSL Certificates OR
2. There is something broken with E2Guardian as it does not do MITM (SSL Interception)Nothing is broken on e2guardian. All you need is to understand how ssl proxy/filtering/secure connections works just like e2guardian team answered you on github.
If you do not intercept with MITM, there is no way to show a denied error on ssl conections. All any proxy/firewall can do is reject a ssl connection when the site certificate has an fqdn that is denied on your acls. When it happens all the browser can tell you is show you the protocol error message.
-
so to conclude, we really need to install CA cert on client browser for MITM to work and no other way.
-
so to conclude, we really need to install CA cert on client browser for MITM to work and no other way.
NO!!!!!!
There is a really BIG difference between INVALID CERTIFICATE and CONNECTION REFUSED/FAILED.
Please, read the documentation e2guardian team sent to you, seriously .
https://openschoolsolutions.org/pfsense-web-filter-filter-https-squidguard/
-
like I said, i followed your youtube video but in the end, i got error, that is why i asked you if you have preinstalled CA in your browser.
-
Hi marcello,
I need help so much or advice. I want to use different blacklist not shallalist. So the blacklist that I use, it has same structure as shallalist. I try to download the blacklist but I get this error " E2guardian - Could not determine Blacklist extract dir. Categories not updated ". I searched so many times and tried so many ways to get it work. But I couldn't make the my blacklist work.
Shallalist working well, but I need use different blacklist as I said above. I put the blacklist categories into the /usr/local/etc/e2guardian/lists/blacklists or BL directory. But when I go to E2guardian > Site Lists > create a new one and I still see the old shallalist categories. I can't see new categories.
The problem is seeing old shallalist categories.
Please I need some advice. Thanks.
-
Can you check the directory structure of both lists extracting the compressed list file?
-
Marcello
Sometimes we are having problems with uninstall / reinstall
the way to completely delete old configuration settings
How to clean install e2Guardian lines in config.xml?is there progress in blocking file extension
file extension blocking is not working.And do you test the multiwan?
I tried it but it does not work
It would be nice if we could perceive the lan rulesit only detects bypass and works
-
E2guardian does not implement multiwan yet.
And as it is a local daemon, it does not match any lan rule.I'll test file extension and mime types filtering to see what is going on.
-
Marcello,
I will add the photos that I took picture of two blacklist directory and inside of their files..
Thanks again.
-
is there progress in blocking file extension
file extension blocking is not working.I've pushed a fix to file extension. They should work after updating the package.
Mime types I've opened an issue on e2guardian project.https://github.com/e2guardian/e2guardian/issues/380
-
I will add the photos that I took picture of two blacklist directory and inside of their files..
It's difficult to see the difference on pictures, try to send me the blacklist. I can check the difference and tell you if it's easy or a big job.
-
Marcelloc,
Can I make a BlockList Site ACL and ExemptedList Site ACL and then apply both ACL to a group.
I am doing this because ExemptedList might apply to multiple group and BlockList might also apply to multiple group. In this matter, I do need to copy paste the same sites or Banned Config and Exempted Config.
I am confused if it is really necessary if a certain ACL should contain Banned and related Grey and Exemption List.
Is that possible ?
-
Marcello,
Sir, I will work on this thing a little bit more. I found something that it can he helpful for me to solve this problem. Also I will ask a friend who is a developer. Thank you so much for your help. I'll write you from the forum as soon as possible.
-
Marcelloc,
Can I make a BlockList Site ACL and ExemptedList Site ACL and then apply both ACL to a group.
I am doing this because ExemptedList might apply to multiple group and BlockList might also apply to multiple group. In this matter, I do need to copy paste the same sites or Banned Config and Exempted Config.
I am confused if it is really necessary if a certain ACL should contain Banned and related Grey and Exemption List.
Is that possible ?
Just make two ACL's one to be used as default. And one to be used by your specific groups. Personally I have a few, I've kept default to apply ACL to clients outside any groups I've setup, then I've got a kids group with a lot of blocking, then an adult group with more relaxed blocking. All groups need to be assigned to at least one ACL.