Unofficial E2guardian package for pfSense
-
UPDATE
Hello folks,
I´ve been testing E2Guardian+SQUID with SSO NTLM and it is working REALLY fine.
There are some small/cosmetic issues, but at all, it's working fine.
Issues that I could get so far:
*The LDAP search group/users mechanism has some issues. It seems the script created by the package (see crontab) doesn't have the proper env setting. I tested it assing "sh -c" in front of it, and it resolved the issue.
*The e2guardian service sometimes got stuck.the GUI start/stop/restart icons doesn't work and you have to kill the PID from shell console. It seems it's something related to the "save/apply" process after the LDAP update script runs. I am still investigating.The e2guardian is "really" better than "squidguard" - There is no comparison! Forget about squidguard,
Hope that helps,
Fabricio. -
@fabricioguzzy said in Unofficial E2guardian package for pfSense:
UPDATE
Hello folks,
I´ve been testing E2Guardian+SQUID with SSO NTLM and it is working REALLY fine.
There are some small/cosmetic issues, but at all, it's working fine.
Issues that I could get so far:
*The LDAP search group/users mechanism has some issues. It seems the script created by the package (see crontab) doesn't have the proper env setting. I tested it assing "sh -c" in front of it, and it resolved the issue.
*The e2guardian service sometimes got stuck.the GUI start/stop/restart icons doesn't work and you have to kill the PID from shell console. It seems it's something related to the "save/apply" process after the LDAP update script runs. I am still investigating.The e2guardian is "really" better than "squidguard" - There is no comparison! Forget about squidguard,
Hope that helps,
Fabricio.Most of us have known or have come to know how much of a broken mess SquidGuard is. E2 Guardian filtering is much more advanced and granular.
I suggest you report the issues on the E2 Guardian Github page for quicker response/fixes. Thank you for the update, and I'm glad you've got it working with LDAP!
-
@pfsensation hi there!
It seems the issue is related to the pfsense package only (Web GUI -PHP code). There is nothing wrong with the E2guardian binary package at all, so, I could not report it at the e2guardian forum I guess.
Anyway, YES, people should simply forget about squidguard... I am very happy and excited with the results of E2guardian as a Content Filter and etc.
Still investigating the issues with the service/ldap package.Thanks!
Fabricio. -
@fabricioguzzy said in Unofficial E2guardian package for pfSense:
@pfsensation hi there!
It seems the issue is related to the pfsense package only (Web GUI -PHP code). There is nothing wrong with the E2guardian binary package at all, so, I could not report it at the e2guardian forum I guess.
Anyway, YES, people should simply forget about squidguard... I am very happy and excited with the results of E2guardian as a Content Filter and etc.
Still investigating the issues with the service/ldap package.Thanks!
Fabricio.Sorry, I meant @marcelloc has his own Github page for E2 Guardian on pfSense issues.
-
@fabricioguzzy said in Unofficial E2guardian package for pfSense:
UPDATE
Hello folks,
I´ve been testing E2Guardian+SQUID with SSO NTLM and it is working REALLY fine.
There are some small/cosmetic issues, but at all, it's working fine.
Issues that I could get so far:
*The LDAP search group/users mechanism has some issues. It seems the script created by the package (see crontab) doesn't have the proper env setting. I tested it assing "sh -c" in front of it, and it resolved the issue.
*The e2guardian service sometimes got stuck.the GUI start/stop/restart icons doesn't work and you have to kill the PID from shell console. It seems it's something related to the "save/apply" process after the LDAP update script runs. I am still investigating.The e2guardian is "really" better than "squidguard" - There is no comparison! Forget about squidguard,
Hope that helps,
Fabricio.Can you share a screenshot of sso ntlm settings?
-
@susamlicubuk
Sure. Here it goes.Keep in mind that I have it like: USER --> E2Guardian --> SQUID --> INTERNET
I have SAMBA in the background (for NTLM)Here E2Guardian Config:
Here SQUID Config:
-
@pfsensation -
I will contact him for sure. I thought he was writing here to the forum only.
Thanks for the heads up!! -
@fabricioguzzy said in Unofficial E2guardian package for pfSense:
@susamlicubuk
Sure. Here it goes.Keep in mind that I have it like: USER --> E2Guardian --> SQUID --> INTERNET
I have SAMBA in the background (for NTLM)Here E2Guardian Config:
Here SQUID Config:
How are your groups section and your users partition settings?
Please display the screenshot
Can you share the samba settings? -
there you go:
USERS:
SAMBA smb.conf file (replace DOMAIN and DOMAIN.CORP by your actual DOMAIN name)
GROUPS: (in the "masked" LDAP line, you add your Active Directory Server hostname)
-
PfSense 2.4.4p2+E2Guardian5 system. Wifi network, whatsapp voice call or video call not working. Realtime log, Tcp_dump/403 https://127.0.0.1
But E5Guardian SSL support disable; smoothly working.
Why?
-
@plusbil said in Unofficial E2guardian package for pfSense:
PfSense 2.4.4p2+E2Guardian5 system. Wifi network, whatsapp voice call or video call not working. Realtime log, Tcp_dump/403 https://127.0.0.1
But E5Guardian SSL support disable; smoothly working.
Why?
Age old issue of SSL pinning, apps reject any certs other than the one baked in by the app dev when they built the app. This is to try mitigate the MITM attacks, which is what E2 Guardian does.
Just make an alias to let Whatsapp bypass E2 Guardian altogether.
-
@pfsensation said in Unofficial E2guardian package for pfSense:
Just make an alias to let Whatsapp bypass E2 Guardian altogether.
Hmmm, thank you.
https://github.com/ukanth/afwall/wiki/HOWTO-blocking-WhatsApp
Is the list up to date?
-
@plusbil said in Unofficial E2guardian package for pfSense:
@pfsensation said in Unofficial E2guardian package for pfSense:
Just make an alias to let Whatsapp bypass E2 Guardian altogether.
Hmmm, thank you.
https://github.com/ukanth/afwall/wiki/HOWTO-blocking-WhatsApp
Is the list up to date?
It's from 2015 so no, just do a packet capture and find the domains it uses. That's what I did to get it working, I tried to post a few of them for you here but it got detected as spam.
-
@pfsensation said in Unofficial E2guardian package for pfSense:
It's from 2015 so no, just do a packet capture and find the domains it uses. That's what I did to get it working, I tried to post a few of them for you here but it got detected as spam.
I did. Just one address, 54.93.x.x. I opened it for now, it works. I'm gonna have to try, occasionally. :) Thanks...
-
I just spun up a new pfSense machine using E2guardian. I was using squid/squidguard in the old firewall. There are quite a few nuances that I don't understand. It was pretty simple to block or allow sites as needed. I think I've figured out how to add new sites to block but am not having success getting them to bypass the filter. I have a camera system that keeps getting blocked with NETERROR as the reason. I've tried adding the source IP to the exceptions in the IP config and the site to ACL/site lists but no change. How does one enter a site to be bypassed?
*edit: It looks like it tries to connect then I see a log entry like this:
192.168.1.x https://127.0.0.1 403 Default NETERROR - -
If you are using transparent proxy and you want any addresses to completely bypass e2guardian, there are places under the Daemon tab in the transparent section to enter bypass ip's.
-
@user43617 said in Unofficial E2guardian package for pfSense:
I just spun up a new pfSense machine using E2guardian. I was using squid/squidguard in the old firewall. There are quite a few nuances that I don't understand. It was pretty simple to block or allow sites as needed. I think I've figured out how to add new sites to block but am not having success getting them to bypass the filter. I have a camera system that keeps getting blocked with NETERROR as the reason. I've tried adding the source IP to the exceptions in the IP config and the site to ACL/site lists but no change. How does one enter a site to be bypassed?
*edit: It looks like it tries to connect then I see a log entry like this:
192.168.1.x https://127.0.0.1 403 Default NETERROR -As @kenrutt mentioned, add the camera IP to the source bypass box under the daemon tab. Then it'll bypass e2guardian completely. Not quite sure why you're getting a NETERROR though.
-
I tried the source bypass and that didn't seem to work. Turning the E2guardian off for a while allowed it to do whatever and worked for that particular problem. There are other sites that are behaving the same (gocomics.com).
I used the instructions at this link to set up E2guardian:
https://lifeoverlinux.com/how-to-block-http-and-https-websites-with-e2guardian/It does not mention using WPAD for setup. I noticed that the instructions on the E2guardian github has a section on using it for ssl filtering. I had WPAd setup for squid/squidguard. Is that the part I'm missing here?
Anyone have a better set of instructions for configuring E2guardian on pfSense that's up to date?
-
@user43617 said in Unofficial E2guardian package for pfSense:
I tried the source bypass and that didn't seem to work. Turning the E2guardian off for a while allowed it to do whatever and worked for that particular problem. There are other sites that are behaving the same (gocomics.com).
I used the instructions at this link to set up E2guardian:
https://lifeoverlinux.com/how-to-block-http-and-https-websites-with-e2guardian/It does not mention using WPAD for setup. I noticed that the instructions on the E2guardian github has a section on using it for ssl filtering. I had WPAd setup for squid/squidguard. Is that the part I'm missing here?
Anyone have a better set of instructions for configuring E2guardian on pfSense that's up to date?
Source bypass will only work if you're using the transparent filtering option. I've personally stopped using WPAD, transparent filtering can force the traffic through E2 Guardian quite seamlessly.
-
So, does grey and exception listing work in transparent mode?