Unofficial E2guardian package for pfSense
-
Added e2guardian4 to Unofficial repo 8)
tinyproxy may not install by default.
Also testing on 2.4(looks faster)
But I'm seeing only one e2guardian process. I'm not sure if it's the correct behavior or still has things to fix to run correctly under Freebsd
-
Added e2guardian4 to Unofficial repo 8)
tinyproxy may not install by default.
Also testing on 2.4(looks faster)
But I'm seeing only one e2guardian process. I'm not sure if it's the correct behavior or still has things to fix to run correctly under Freebsd
Does SSL interception and all work? Are the bugs you found squashed? Is the dependencies in the package manager meant to be e2guardian_35-3.5.1? It seems exactly the same as the old 3.5.1 version, but I haven't installed it yet.
Also it's threaded now right? Maybe that's why you're seeing only one process.
EDIT: So I ended updating E2Guardian via SSH by typing "13". Now it won't even start up. I am getting this error in logs
/pkg_edit.php: The command '/usr/local/etc/rc.d/e2guardian.sh start' returned exit code '1', the output was 'kern.ipc.somaxconn: 16384 -> 16384 kern.maxfiles: 131072 -> 131072 kern.maxfilesperproc: 104856 -> 104856 kern.threads.max_threads_per_proc: 4096 -> 4096 Starting e2guardian. Shared object "libssl.so.9" not found, required by "e2guardian" /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian'Also pfsense doesn't seem to be able to load the repo anymore. :(
Error:
>>> Updating repositories metadata... Updating Unofficial repository catalogue... Fetching meta.txz: . done Fetching packagesite.txz: . done Processing entries: . done Unofficial repository update completed. 8 packages processed. Updating pfSense-core repository catalogue... pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/meta.txz: No route to host repository pfSense-core has no meta file, using default settings pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/packagesite.txz: No route to host Unable to update repository pfSense-core Updating pfSense repository catalogue... pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-pfSense_v2_3_4/meta.txz: No route to host repository pfSense has no meta file, using default settings pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-pfSense_v2_3_4/packagesite.txz: No route to host Unable to update repository pfSense Error updating repositories!Being kinda screwed and out of choices… I changed Squid's port to 8080. Otherwise I get no connection at all, due to WPAD and settings on devices.
-
Does SSL interception and all work?
Yes.
Are the bugs you found squashed?
Not sure yet. youtube looks like was working better with 3.5 but it's to early to make a conclusion about it. I've tested only few minutes
Is the dependencies in the package manager meant to be e2guardian_35-3.5.1? It seems exactly the same as the old 3.5.1 version, but I haven't installed it yet.
Maybe because both are e2guardian packages. To change it on ports to a e2guardian4 takes some time
Also it's threaded now right? Maybe that's why you're seeing only one process.
Yes, I need to test it to see how far it can go with processing multiple cores, memory and throughput
EDIT: So I ended updating E2Guardian via SSH by typing "13". Now it won't even start up. I am getting this error in logs
/pkg_edit.php: The command '/usr/local/etc/rc.d/e2guardian.sh start' returned exit code '1', the output was 'kern.ipc.somaxconn: 16384 -> 16384 kern.maxfiles: 131072 -> 131072 kern.maxfilesperproc: 104856 -> 104856 kern.threads.max_threads_per_proc: 4096 -> 4096 Starting e2guardian. Shared object "libssl.so.9" not found, required by "e2guardian" /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian'e2guardian4 needs openssl. On my 2.4 test vm it installed as a dependence. I'll test again on a clean 2.3
you can try pkg install openssl from consoleAlso pfsense doesn't seem to be able to load the repo anymore. :(
Error:
pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/meta.txz: No route to host pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/packagesite.txz: No route to host pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-pfSense_v2_3_4/meta.txz: No route to host pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-pfSense_v2_3_4/packagesite.txz: No route to hostI've removed the previous package and then installed the e2guardian4 package
I have no idea why you are getting no route to host.
-
Also, the gui package files form 3.5.1 to 4 are different (e2guardian to e2guardian4)
-
pfSense-pkg-E2guardian-0.9.2.txz
-
pfSense-pkg-E2guardian4-0.1.txz
EDIT
Got this removing 3.5.1 and then instaling 4
>>> Installing pfSense-pkg-E2guardian4... Updating Unofficial repository catalogue... Fetching meta.txz: . done Fetching packagesite.txz: . done Processing entries: . done Unofficial repository update completed. 8 packages processed. Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. The following 3 package(s) will be affected (of 0 checked): New packages to be INSTALLED: pfSense-pkg-E2guardian4: 0.1 [Unofficial] e2guardian: 4.1.1 [Unofficial] openssl: 1.0.2l,1 [Unofficial] Number of packages to be installed: 3 The process will require 15 MiB more space. 3 MiB to be downloaded. [1/3] Fetching pfSense-pkg-E2guardian4-0.1.txz: ...... done [2/3] Fetching e2guardian-4.1.1.txz: .......... done [3/3] Fetching openssl-1.0.2l,1.txz: .......... done Checking integrity... done (0 conflicting) [1/3] Installing e2guardian-4.1.1... [1/3] Extracting e2guardian-4.1.1: .......... done [2/3] Installing pfSense-pkg-E2guardian4-0.1... [2/3] Extracting pfSense-pkg-E2guardian4-0.1: .......... done Saving updated package information... done. Loading package configuration... done. Configuring package components... Loading package instructions... Custom commands... Executing custom_php_install_command()...Checking E2guardian Blacklists... One moment please...Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |--- /usr/local/www/pkg_edit.orig.php 2017-04-05 17:12:56.478730000 -0300 |+++ /usr/local/www/pkg_edit.php 2017-04-05 17:13:51.614222000 -0300 -------------------------- Patching file /usr/local/www/pkg_edit.php using Plan A... Ignoring previously applied (or reversed) patch. Hunk #1 ignored at 656. 1 out of 1 hunks ignored--saving rejects to /usr/local/www/pkg_edit.php.rej done Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |--- /usr/local/www/pkg.orig.php 2017-04-05 17:18:25.349676000 -0300 |+++ /usr/local/www/pkg.php 2017-04-05 17:20:49.204578000 -0300 -------------------------- Patching file /usr/local/www/pkg.php using Plan A... Ignoring previously applied (or reversed) patch. Hunk #1 ignored at 329. 1 out of 1 hunks ignored--saving rejects to /usr/local/www/pkg.php.rej doneiniciodone.
Executing custom_php_resync_config_command()...```
iniciodone.
Menu items... done.
Services... done.
Writing configuration... done.
[3/3] Installing openssl-1.0.2l,1...
Extracting openssl-1.0.2l,1: .......... done
Message from e2guardian-4.1.1:
===> Please Note:
This port has created a log file named e2guardian.log that can get
quite large. Please read the newsyslog(8) man page for instructions
on configuring log rotation and compression.This port has been converted using old dansguardian-devel port
Let me know how it works (or not). (Patches always welcome.)
Message from pfSense-pkg-E2guardian4-0.1:
Please visit Services - E2guardian Server menu to configure the package and enable it.
Message from openssl-1.0.2l,1:
Edit /usr/local/openssl/openssl.cnf to fit your needs.Cleaning up cache... done.
Success -
-
Also, the gui package files form 3.5.1 to 4 are different (e2guardian to e2guardian4)
-
pfSense-pkg-E2guardian-0.9.2.txz
-
pfSense-pkg-E2guardian4-0.1.txz
EDIT
Got this removing 3.5.1 and then instaling 4
>>> Installing pfSense-pkg-E2guardian4... Updating Unofficial repository catalogue... Fetching meta.txz: . done Fetching packagesite.txz: . done Processing entries: . done Unofficial repository update completed. 8 packages processed. Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. The following 3 package(s) will be affected (of 0 checked): New packages to be INSTALLED: pfSense-pkg-E2guardian4: 0.1 [Unofficial] e2guardian: 4.1.1 [Unofficial] openssl: 1.0.2l,1 [Unofficial] Number of packages to be installed: 3 The process will require 15 MiB more space. 3 MiB to be downloaded. [1/3] Fetching pfSense-pkg-E2guardian4-0.1.txz: ...... done [2/3] Fetching e2guardian-4.1.1.txz: .......... done [3/3] Fetching openssl-1.0.2l,1.txz: .......... done Checking integrity... done (0 conflicting) [1/3] Installing e2guardian-4.1.1... [1/3] Extracting e2guardian-4.1.1: .......... done [2/3] Installing pfSense-pkg-E2guardian4-0.1... [2/3] Extracting pfSense-pkg-E2guardian4-0.1: .......... done Saving updated package information... done. Loading package configuration... done. Configuring package components... Loading package instructions... Custom commands... Executing custom_php_install_command()...Checking E2guardian Blacklists... One moment please...Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |--- /usr/local/www/pkg_edit.orig.php 2017-04-05 17:12:56.478730000 -0300 |+++ /usr/local/www/pkg_edit.php 2017-04-05 17:13:51.614222000 -0300 -------------------------- Patching file /usr/local/www/pkg_edit.php using Plan A... Ignoring previously applied (or reversed) patch. Hunk #1 ignored at 656. 1 out of 1 hunks ignored--saving rejects to /usr/local/www/pkg_edit.php.rej done Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |--- /usr/local/www/pkg.orig.php 2017-04-05 17:18:25.349676000 -0300 |+++ /usr/local/www/pkg.php 2017-04-05 17:20:49.204578000 -0300 -------------------------- Patching file /usr/local/www/pkg.php using Plan A... Ignoring previously applied (or reversed) patch. Hunk #1 ignored at 329. 1 out of 1 hunks ignored--saving rejects to /usr/local/www/pkg.php.rej doneiniciodone.
Executing custom_php_resync_config_command()...```
iniciodone.
Menu items... done.
Services... done.
Writing configuration... done.
[3/3] Installing openssl-1.0.2l,1...
Extracting openssl-1.0.2l,1: .......... done
Message from e2guardian-4.1.1:
===> Please Note:
This port has created a log file named e2guardian.log that can get
quite large. Please read the newsyslog(8) man page for instructions
on configuring log rotation and compression.This port has been converted using old dansguardian-devel port
Let me know how it works (or not). (Patches always welcome.)
Message from pfSense-pkg-E2guardian4-0.1:
Please visit Services - E2guardian Server menu to configure the package and enable it.
Message from openssl-1.0.2l,1:
Edit /usr/local/openssl/openssl.cnf to fit your needs.Cleaning up cache... done.
SuccessOkay, I've installed the SSL. Rebooted, got the package installer working then installed version 4.1. And it still wasn't starting, then I disabled "log client hosnames" in the general tab. And it started. So far it seems to be working. I'll keep you updated. Thanks for getting this working! :)
EDIT: SSL interception isn't working. Do I need to edit that : /usr/local/openssl/openssl.cnf ?
-
-
EDIT: SSL interception isn't working.
Some config changes on this 4.1 are "asking" for a service restart.
I'm using ssl interception, with basic authentication and the custom html error page working
Do I need to edit that : /usr/local/openssl/openssl.cnf ?
No. That message is from the bsd package. Not related to e2guardian.
-
EDIT: SSL interception isn't working.
Some config changes on this 4.1 are "asking" for a service restart.
I'm using ssl interception, with basic authentication and the custom html error page working
Do I need to edit that : /usr/local/openssl/openssl.cnf ?
No. That message is from the bsd package. Not related to e2guardian.
I'm using IP Authentication and SSL interception / forging doesn't seem to work at all. Some configs seem to not load up correctly in the GUI until I saved them again, then their correct metadata loaded. I also tried rebooting etc. Didn't fix the SSL issue.
-
I'm using IP Authentication and SSL interception / forging doesn't seem to work at all.
I'll set ip Authentication to see if I get same result.
I'm using squid as parent proxy to be able to use it's authentication.
-
I'm using IP Authentication and SSL interception / forging doesn't seem to work at all.
I'll set ip Authentication to see if I get same result.
I'm using squid as parent proxy to be able to use it's authentication.
I'm also using Squid as a parent proxy, but no extra authentication on that. It's acting quite strange, but I definitely do feel that web pages are snappier. It doesn't feel like everything is going through a proxy anymore. And memory usage so far has dropped by 15% for me, not sure if that's because of SSL issue though.
-
I can't reproduce the issue here. :(
I got ip authentication, correct group, ssl interception and deny pages.
I've unselected soft restart on general tab and also did a restart few seconds after apply config.
-
I'm using IP Authentication and SSL interception / forging doesn't seem to work at all.
Did you enabled ssl on general tab?
It's a new option introduced on 4.1
-
Did you enabled ssl on general tab?
It's a new option introduced on 4.1
DAMNIT! That was it. For some reason before, that option didn't show / or I might have missed it (forgive me it's 2:32am in London).
It really does seem a lot faster, and some programs which were giving some trouble before with SSL interception. Seem to be working now. :O
Thanks a lot Marcello for your hard work and effort! Hats off to you! :)
-
DAMNIT! That was it. For some reason before, that option didn't show / or I might have missed it (forgive me it's 2:32am in London).
It really does seem a lot faster, and some programs which were giving some trouble before with SSL interception. Seem to be working now. :O
Thanks a lot Marcello for your hard work and effort! Hats off to you! :)
GREAT!!!! 8) If we can confirm it's working better and faster, I'll remove soon the 3.5.1 package from Unofficial repo and wait for a 4.1.1 release to update Freebsd ports repo.
-
DAMNIT! That was it. For some reason before, that option didn't show / or I might have missed it (forgive me it's 2:32am in London).
It really does seem a lot faster, and some programs which were giving some trouble before with SSL interception. Seem to be working now. :O
Thanks a lot Marcello for your hard work and effort! Hats off to you! :)
GREAT!!!! 8) If we can confirm it's working better and faster, I'll remove soon the 3.5.1 package from Unofficial repo and wait for a 4.1.1 release to update Freebsd ports repo.
Sure, but before you do, maybe you should add some code to re-initialise those config files people already have. Because it needs to adjust to the new layout and grab that meta data. Not sure if any of it causes a big deal though.
Here's an example of what data didn't load before "re-saving" the group configs:
Also, is there a way to cache HTTPS content through Squid using E2Guardian? Squid still has that issue with Subject Alternative Name, and it cannot do the interception anymore as that function is broken. Since E2Guardian is able to do it, and it works correctly. Is there a quick way to get this to work? I got a 140GB hard drive in my box, may as well make full use of it. :P
-
Squid still has that issue with Subject Alternative Name, and it cannot do the interception anymore as that function is broken.
I did not know that. You mean current ssl splice all feature?
Sure, but before you do, maybe you should add some code to re-initialise those config files people already have
Most config until now can be kept but e2guardian is improving/changing the config structure a lot between versions.
Here's an example of what data didn't load before "re-saving" the group configs:
This is just cosmetic. It does not affect config files at all.
Also, is there a way to cache HTTPS content through Squid using E2Guardian?
Not sure. But you can try to disable server certificate check and enable squid interception too.
-
Not sure. But you can try to disable server certificate check and enable squid interception too.
I tried that, didn't seem to work. Maybe you can have a look at that when you have time. To clarify, Squid cannot create forged certificates that Chrome, Firefox, or any modern app will really accept. Since the code hasn't been updated to comply with RFC, afaik. It doesn't provide the Subject Alternative Name in the certificate, only provides "common name".
I meant, since E2Guardian is able to create certificates which are accepted and complies with RFC. Maybe we can still cache it using Squid, not sure if it's possible but should be since it's the parent proxy. But I guess this is something that will need to be looked into, it probably will have to anyways so that caching can work without conflicing with Squid (if Squid gets updated to work properly with SAN). In addition, I get the feeling, most people would be using E2Guardian with Squid anyways, so it makes sense to make full use of this setup.
Playing around with 4.1, it really does seem so much faster. I can't even tell there's a proxy in between, until I try going to a blocked site and see the blocked page. However, I have uncovered one bug so far. It's that SSL regex under "Site Lists" tab, doesn't seem to be working. I was using it to enforce YouTube restricted mode for kids / guests. While allowing it for certain users. It's something I can live with for now though. But nevertheless, it's a bug to be noted/checked, I guess.
-
Hmm, had two crashes so far using 4.1 since yesterday. I'd recommend everyone hold out for a bit for everything to stabilise before updating.
Unfortunately I wasn't able to capture any meaningful information, except this crash log. Only things I implemented was the WPAD and the new E2Guardian update since yesterday. And I have suspicions that it maybe E2Guardian.https://ybin.me/p/e151f6a30f575c86#bQ6m4FCp/t6wWPLfFblyNmknhsZUXF0riaC3GJIlBBk=
-
how many users connected?
-
how many users connected?
Just a handful to be honest. For now only 4 devices doing MITM, and another 3 without MITM. It's a home environment so, not that big of a load. My machine load averages are barely going past 0.20, considering what I have running and this is a dual core machine. Pretty much same exact setup minus WPAD package on 3.5.1, barely any hiccups at all after initial setup. I was able to run it for over a week without a single issue.
With 4.1, today everything suddenly started loading super slow. I restarted the service, and everything was well again. Leading me to believe this is an issue with 4.1. Have you had a chance at all to take a look at why the SSL regex wasn't working?
For now, I'm glad 4.1, at least runs on pfSense, I'm just worried about the stability. Obviously I am running this at home, so some downtime isn't that big of a deal. But others may use it in their business or something. Especially as there is no filtering solution for pfSense which supports MITM anymore. SquidGuard doesn't work. -
Have you had a chance at all to take a look at why the SSL regex wasn't working?
I've tested th sslregex with youtube today. worked fine(with the restart service after apply).
#SSL site modifying Regular Expressions # Enforce restricted mode in YouTube # "(^https://www.youtube.com)"->"https://restrict.youtube.com" "(^https://m.youtube.com)"->"https://restrict.youtube.com" "(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com" "(^https://youtube.googleapis.com)"->"https://restrict.youtube.com" "(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com" #I'll test on a big environment next week, about 720 workstations. Hope it goes fine.
Especially as there is no filtering solution for pfSense which supports MITM anymore. SquidGuard doesn't work.
That's true. My test machines did not crashed any time but it's a single user with multiple tab test.
Can you test it on 2.4 beta too?
