Unofficial E2guardian package for pfSense



  • Here are install instructions for UNOFFICIAL e2guardian package for pfSense(R) software 2.3+

    Install
    You can enable Unoffical repo creating or downloading the file below using diagnostics -> command  prompt -> Execute Shell Command prompt menu:

    2.3 or higher

    
    fetch -q -o /usr/local/etc/pkg/repos/Unofficial.conf https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/Unofficial.conf
    

    After fetching the repo file, you can see these packages under System -> Package Manager

    http://www.shallalist.de/Downloads/shallalist.tar.gz is one of compatible blacklists for e2guardian and it's configured by default on the package.

    Once it finishes, all must be in place. If you do not see the menu after it finishes, try to install any pfSense package from GUI, like cron for example.

    WARNING

    Use it at your own risk.

    This script install packages from freebsd and change your config file.





  • I've updated the install code to use version 3.5.1 and ssl interception.



  • Hola Marcelloc!

    Will this package's configuration be kept in the system config.conf file? So if I restore that file, my E2Guardian config will be restored as well?



  • @Pistolero:

    Hola Marcelloc!

    Will this package's configuration be kept in the system config.conf file? So if I restore that file, my E2Guardian config will be restored as well?

    Yes it will !  :)



  • Thank you, sir. Could I make a humble suggestion? Is there a way to implement a config backup/restore/reset function in the package itself? This would be more efficient to restore a config than restoring the system conf file. Also, could be used to replicate the configuration of just this package to other firewalls.

    Also, a question… will the package automatically find Squid and configure its integration? Or is that a manual process?

    Thanks!



  • The sync config between boxes is already there. The squid integration is a manual process.

    The restore function I'll think about later.



  • Thank you, sir. Could you please post instructions on how to integrate E2 with Squid?

    Thanks a bunch, muito obrigado!



  • Basically, define the ip and squid port on squid config on first tab. The second tab shows the authentication e2guardian support to pass through squid.

    All other tabs flow the configure from left-to-right, viewing each tab and saving config.



  • Looks nice.  I'll have to give it a try.  A couple of questions:

    1.  Why a custom script and not get it officially into the Package Manager?
    2.  Is there documentation to get up and running?  It looks like you create separate entries under the various ACLs and then create a Group and assign the ACLs to it.  There's a lot of options on a lot of screens and they aren't all clear to me.
    3.  Aside from AD, how do we assign users to different groups?  With squidGuard I needed to use the persons MAC to assign an IP through DHCP and then I could use that IP under a different ACL.  I don't see a way to tie an IP or MAC into a group in here.

    Thanks for the work.  This would be a big improvement over squidGuard if I can figure it out.



  • @Stewart:

    Looks nice.  I'll have to give it a try.  A couple of questions:

    2.  Is there documentation to get up and running?  It looks like you create separate entries under the various ACLs and then create a Group and assign the ACLs to it.  There's a lot of options on a lot of screens and they aren't all clear to me.

    The e2guardian configuration is really complex but extremely powerfull. Some options you get on general configuration but most is applied per group.

    A basic setup:

    • Apply the shalist under blacklist tab

    • Configure the default group under acl

    • save config

    At this point, E2guardian users are required only when you have more then one group. All unauthenticated users or unlisted users will match first filter group.

    So if you want to test a user based configuration, create a second group

    • Configure squid as your parent proxy under daemon tab

    • Select the Auth Plugin you want to interact with your squid configured user authentication

    • save and apply config



  • Is there any difference in the AV of E2guardian vs Squid?  They both appear to be Clam but Squid seems to give more options for custom databases.



  • @Stewart:

    Is there any difference in the AV of E2guardian vs Squid?  They both appear to be Clam but Squid seems to give more options for custom databases.

    IIRC e2guardian has per group scan options but I agree clamd on squid has more options.

    Maybe you need to test both bu for now, you can keep on squid.

    we need a lot of tests to archive the best config for e2guardian on pfSense.

    I'm planning an captive portal integration just the same way I did on squid.



  • I'm going to try to get some testing done tomorrow to see what I can come up with.  Looking through the config options is a bit daunting, especially the Pics area since the value ranges keep changing.  And where do I add in phrases to block?  Can we create our own phrase lists?



  • @Stewart:

    Can we create our own phrase lists?

    sure.

    This is a wiki of Dansguardian. Most options works the same way on e2guardian.

    http://contentfilter.futuragts.com/wiki/doku.php

    https://github.com/e2guardian/e2guardian/wiki/Configuration



  • I've changed the submenu display style. I think it's better to see and undertand where you are.

    What do you think?

    images style1 are current pkg framework

    images style2 has new style view.

    What do you think?










  • To me, the original style is better.  I can see that I'm in ACL's -> Phrase Lists by the underlining.  It just sticks out better.  In the second one I can see that I'm in ACLs but can't tell which sub-menu I'm in becasue it isn't showing any different.  The bread-crumbs up top show it but it just isn't as easy to follow.  I like your current style better.



  • I think style 2 is cleaner but would be even nicer if it did highlight the sub menu item too  ;)



  • @danjeman:

    I think style 2 is cleaner but would be even nicer if it did highlight the sub menu item too  ;)

    I'll put the highlight as an option. For now I've changed de text on each xml to identify what tab you are.



  • I'm starting to test e2guardian but it won't start.

    
    /root: /usr/local/etc/rc.d/e2guardian.sh start
    kern.ipc.somaxconn: 16384 -> 16384
    kern.maxfiles: 131072 -> 131072
    kern.maxfilesperproc: 104856 -> 104856
    kern.threads.max_threads_per_proc: 4096 -> 4096
    Starting e2guardian.
    In mapauthtoports mode you need to setup one port per auth plugin
    Error parsing the e2guardian.conf file or other e2guardian configuration files
    /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian
    
    

    Can those files be regenerated?  I've pointed to shallalist but that's about it.  The Default values in bold, those are the values used if the boxes are left blank?  They don't need to be filled in do they?

    EDIT:
    I copied the e2guardian.conf.sample and overwrote /usr/local/etc/e2guardian/e2guardian.conf and I'm getting further.  Now it tells me:

    /root: /usr/local/etc/rc.d/e2guardian.sh start
    kern.ipc.somaxconn: 16384 -> 16384
    kern.maxfiles: 131072 -> 131072
    kern.maxfilesperproc: 104856 -> 104856
    kern.threads.max_threads_per_proc: 4096 -> 4096
    Starting e2guardian.
    Error opening/creating log file. (check ownership and access rights).
    I am running as nobody and I am trying to open /var/log//access.log
    /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian
    


  • What options did you selected to enable multiport?



  • @marcelloc:

    What options did you selected to enable multiport?

    What page has that option?  I don't think I intentionally selected anything, just clicked through.



  • I have it working on my setup, including ssl interception. Try to selext just one interface. I'll try another clean setup and see how how to reproduce this.



  • I have LAN and loopback selected since the default is Lan/loopback.  It's working with the sample config in place.

    I ran a diff on the config file and the sample file and there is quite a bit of difference since the rows don't line up.  I cleared up the commented lines and here is what the config options are in the broken file:

    
    languagedir = '/usr/local/share/e2guardian/languages'
    language = 'ukenglish'
    loglevel = 3
    logexceptionhits = 2
    logfileformat = 1
    anonymizelogs = off
    loglocation = '/var/log/e2guardian/access.log'
    dstatlocation = '/var/log/e2guardian/dstats.log'
    dstatinterval = 300  # = 5 minutes
    statlocation = '/var/log/e2guardian/stats'
    filterip = 192.168.1.1
    filterip = 127.0.0.1
    filterports = 8080
    filterports = 8080
    proxyip = 127.0.0.1
    proxyport = 3128
    proxytimeout = 30
    proxyexchange = 20
    pcontimeout = 55
    usecustombannedimage = on
    custombannedimagefile = '/usr/local/share/e2guardian/transparent1x1.gif'
    usecustombannedflash = off
    custombannedflashfile = '/usr/local/share/e2guardian/blockedflash.swf'
    filtergroups = 1
    filtergroupslist = '/usr/local/etc/e2guardian/lists/filtergroupslist'
    bannediplist = '/usr/local/etc/e2guardian/lists/bannediplist'
    exceptioniplist = '/usr/local/etc/e2guardian/lists/exceptioniplist'
    perroomblockingdirectory = '/usr/local/etc/e2guardian/lists/bannedrooms/'
    showweightedfound = on
    urlcachenumber = 1000
    urlcacheage =900
    scancleancache = on
    phrasefiltermode = 2
    preservecase = 0
    hexdecodecontent = off
    forcequicksearch = off
    reverseaddresslookups = off
    reverseclientiplookups = off
    logclienthostnames = off
    createlistcachefiles = on
    prefercachedlists = off
    maxcontentfiltersize = 256
    maxcontentramcachescansize = 1000
    maxcontentfilecachescansize = 2000
    filecachedir = '/tmp'
    deletedownloadedtempfiles = on
    initialtrickledelay = 20
    trickledelay = 20
    downloadmanager = '/usr/local/etc/e2guardian/downloadmanagers/fancy.conf'
    downloadmanager = '/usr/local/etc/e2guardian/downloadmanagers/trickle.conf'
    downloadmanager = '/usr/local/etc/e2guardian/downloadmanagers/default.conf'
    contentscannertimeout = 60
    contentscanexceptions = off
    recheckreplacedurls = off
    forwardedfor = off
    usexforwardedfor = off
    logconnectionhandlingerrors = on
    logsslerrors = off
    logchildprocesshandling = off
    maxchildren = 120
    minchildren = 8
    minsparechildren = 4
    preforkchildren = 10
    maxsparechildren = 32
    maxagechildren = 500
    maxips = 0
    ipcfilename = '/tmp/.dguardianipc'
    urlipcfilename = '/tmp/.dguardianurlipc'
    ipipcfilename = '/tmp/.dguardianipipc'
    nodaemon = off
    nologger = off
    logadblocks = off
    loguseragent =
    daemonuser = 'clamav'
    daemongroup = 'nobody'
    softrestart = on
    cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
    caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
    certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
    generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'
    
    


  • Looks like it was because I had both LAN and loopback selected.  You may want to remove the verbage of "Default: LAN/loopback".  For the other fields it states what is used when nothing is entered.  In this field you still need to select the Interface.



  • @Stewart:

    Looks like it was because I had both LAN and loopback selected.  You may want to remove the verbage of "Default: LAN/loopback".  For the other fields it states what is used when nothing is entered.  In this field you still need to select the Interface.

    I concur. You have to select only one interface (LAN) to get it to work. When loopback is also selected, it wont start. I haven't had a chance to test the different options other then installing and enabling it using default options.

    Need to figure out an easy/clean way to convert my old Dansguardian config to E2guardian (within the config.xml)



  • @Cino:

    Need to figure out an easy/clean way to convert my old Dansguardian config to E2guardian (within the config.xml)

    Easy as renaming it on xml(except for some config change from dansguardian to e2guardian) but I can help with a php script if you want.



  • FYI:

    When I go to ACLs -> Antivirus, the lower menu bar disappears. 
    When I go to ACLs -> Search Engine, Both menu bars disappear.



  • @Stewart:

    FYI:

    When I go to ACLs -> Antivirus, the lower menu bar disappears. 
    When I go to ACLs -> Search Engine, Both menu bars disappear.

    It's a missing div on pkg_edit.php I've updated on install script.

    EDIT

    to apply the fix/update manually, under system_patches package, create a new patch with this info

    
    --- pkg_edit.orig.php        2017-04-05 16:25:04.960401000 +0000
    +++ pkg_edit.php 2017-04-03 22:56:33.184313000 +0000
    @@ -651,6 +651,7 @@
     if ($savehelp) {
            $savebutton->setHelp($savehelp);
     }
    +?> $form = new Form($savebutton);
    
     $form->addGlobal(new Form_Input(
    
    

    folder /usr/local/www/




  • How do we download the blacklists for them to work?  On the Blacklist Tab I'm using http://www.shallalist.de/Downloads/shallalist.tar.gz as the Blacklist URL but when I go into the Default Site List and remove the "#" from in front of items on the list, e2guardian won't start.

    I'm changing:
    #.Include
    to
    .Include

    and the error when starting is:

    /root: /usr/local/etc/rc.d/e2guardian.sh start
    kern.ipc.somaxconn: 16384 -> 16384
    kern.maxfiles: 131072 -> 131072
    kern.maxfilesperproc: 104856 -> 104856
    kern.threads.max_threads_per_proc: 4096 -> 4096
    Starting e2guardian.
    Error reading file /usr/local/etc/e2guardian/lists/blacklists/adult/domains: No such file or directory
    Error opening file: /usr/local/etc/e2guardian/lists/blacklists/adult/domains
    Error reading: /usr/local/etc/e2guardian/lists/bannedsitelist.g_Default
    Error opening bannedsitelist
    Error opening filter group config: /usr/local/etc/e2guardian/e2guardianf1.conf
    Error reading filter group conf file(s).
    Error parsing the e2guardian.conf file or other e2guardian configuration files
    /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian
    

    I'm guessing it's because the blacklist isn't really downloaded and applied.  I've tried changing the Update Frequency on the Blacklist Tab to Download and Update Now and I get an alert that says "E2guardian - Blacklist update process started" but I don't know how to see if it is doing anything.  After 20 minutes it still doesn't start if I uncomment the lines.



  • @Stewart:

    How do we download the blacklists for them to work?

    Select the option Download and update now, save, then back it to never or the update frequency You selected before.

    I'll change it to a Download and update button soon to keep it easy to use.

    Once it's downloaded and updated, I'll receive an system alert on gui.

    Thanks for the feedback




  • @marcelloc:

    @Stewart:

    FYI:

    When I go to ACLs -> Antivirus, the lower menu bar disappears. 
    When I go to ACLs -> Search Engine, Both menu bars disappear.

    It's a missing div on pkg_edit.php I've updated on install script.

    EDIT

    to apply the fix/update manually, under system_patches package, create a new patch with this info

    
    --- pkg_edit.orig.php        2017-04-05 16:25:04.960401000 +0000
    +++ pkg_edit.php 2017-04-03 22:56:33.184313000 +0000
    @@ -651,6 +651,7 @@
     if ($savehelp) {
            $savebutton->setHelp($savehelp);
     }
    +?> $form = new Form($savebutton);
    
     $form->addGlobal(new Form_Input(
    
    

    folder /usr/local/www/

    Applying the patch gives me:

    /usr/bin/patch --directory=/usr/local/www/ -t -p1 -i /var/patches/58e51d1fade80.patch --check --forward --ignore-whitespace
    
    Hmm...  Looks like a unified diff to me...
    The text leading up to this was:
    --------------------------
    |--- pkg_edit.orig.php        2017-04-05 16:25:04.960401000 +0000
    |+++ pkg_edit.php 2017-04-03 22:56:33.184313000 +0000
    --------------------------
    Patching file pkg_edit.php using Plan A...
    Hunk #1 failed at 651.
    1 out of 1 hunks failed while patching pkg_edit.php
    done
    


  • @marcelloc:

    @Stewart:

    How do we download the blacklists for them to work?

    Select the option Download and update now, save, then back it to never or the update frequency You selected before.

    I'll change it to a Download and update button soon to keep it easy to use.

    Once it's downloaded and updated, I'll receive an system alert on gui.

    Thanks for the feedback

    Hmmm.  That's what I did.  I get the alert of "E2guardian - Blacklist update process started" but never one that it completes.  How can I see what's going on?



  • @Stewart:

    @marcelloc:

    @Stewart:

    How do we download the blacklists for them to work?

    Select the option Download and update now, save, then back it to never or the update frequency You selected before.

    I'll change it to a Download and update button soon to keep it easy to use.

    Once it's downloaded and updated, I'll receive an system alert on gui.

    Thanks for the feedback

    Hmmm.  That's what I did.  I get the alert of "E2guardian - Blacklist update process started" but never one that it completes.  How can I see what's going on?

    I just ran the Download and Update Now and shortly thereafter got 2 instances less than a minute apart of "E2guardianBlacklist applied, check site and URL access lists for categories", but it still gives me the same error.  I checked the folder structure and there is no /usr/local/etc/e2guardian/lists/blacklists/adult folder.  Do we need to manually edit the config file to match the directory structure?

    EDIT:
    The List in Config doesn't match the structure in /usr/local/etc/e2guardian/lists/blacklists/ at all.  Is that normal?

    EDIT2:
    Or I could just select from the Include box instead, like a normal person…



  • [quote]
    .patch --check --forward --ignore-whitespace
    
    Hmm...  Looks like a unified diff to me...
    The text leading up to this was:
    --------------------------
    |--- pkg_edit.orig.php        2017-04-05 16:25:04.960401000 +0000
    |+++ pkg_edit.php 2017-04-03 22:56:33.184313000 +0000
    --------------------------
    Patching file pkg_edit.php using Plan A...
    Hunk #1 failed at 651.
    1 out of 1 hunks failed while patching pkg_edit.php
    done
    [/quote]
    
    What pfSense version are you using?
    I'm on 2.3.3
    


  • @marcelloc:

    @Cino:

    Need to figure out an easy/clean way to convert my old Dansguardian config to E2guardian (within the config.xml)

    Easy as renaming it on xml(except for some config change from dansguardian to e2guardian) but I can help with a php script if you want.

    I ran into some errors over the weekend when I tried it. I need to take another look and try again. I did rename everything from that had danguardian using find/replace. This time, I'll just focus on the ACL, Groups, IPs sections of the XML.

    Thank you for the offer, I think Im good for now unless there is a need for it by the community



  • So, it appears to be working if I set a computer to proxy at port 8080 but not when passed to Squid transparently.  From your previous response I see the IP and port should be defined on the Daemon tab but that appears to already be set properly by default and the config file shows proxyip=127.0.0.1 and proxyport=3128.  On the General tab I've tried several options and combinations for Auth Plugins but it doesn't seem to be filtering through Squid.

    Squid is running on port 3128 with all boxes in advanced being empty.  Would it matter that I still have Squidguard installed but disabled?



  • @marcelloc:

    [quote]
    .patch --check --forward --ignore-whitespace
    
    Hmm...  Looks like a unified diff to me...
    The text leading up to this was:
    --------------------------
    |--- pkg_edit.orig.php        2017-04-05 16:25:04.960401000 +0000
    |+++ pkg_edit.php 2017-04-03 22:56:33.184313000 +0000
    --------------------------
    Patching file pkg_edit.php using Plan A...
    Hunk #1 failed at 651.
    1 out of 1 hunks failed while patching pkg_edit.php
    done
    [/quote]
    
    What pfSense version are you using?
    I'm on 2.3.3
    
    2.3.3-RELEASE-p1 (amd64)
    built on Thu Mar 09 07:17:41 CST 2017
    FreeBSD 10.3-RELEASE-p17
    
    It doesn't bother me all that much.  I can make the change manually.  It was more for your benefit so that you could get it fixed for future installs.
    


  • @Stewart:

    It doesn't bother me all that much.  I can make the change manually.  It was more for your benefit so that you could get it fixed for future installs.

    Sure. I'll test all install process(including blacklist) on a 2.3.3_p1 version too.



  • @Stewart:

    Hmmm.  That's what I did.  I get the alert of "E2guardian - Blacklist update process started" but never one that it completes.  How can I see what's going on?

    
    /usr/local/www/e2guardian.php fetch_blacklist 
    
    

    This is the script that fetches and apply the blacklist.



  • Awesome, thanks!  Now that it seems to be working, any advice on getting it to work with Squid transparently?


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy