Unofficial E2guardian package for pfSense

marcelloc

I have it working on my setup, including ssl interception. Try to selext just one interface. I'll try another clean setup and see how how to reproduce this.

Stewart

I have LAN and loopback selected since the default is Lan/loopback.  It's working with the sample config in place.

I ran a diff on the config file and the sample file and there is quite a bit of difference since the rows don't line up.  I cleared up the commented lines and here is what the config options are in the broken file:

languagedir = '/usr/local/share/e2guardian/languages'
language = 'ukenglish'
loglevel = 3
logexceptionhits = 2
logfileformat = 1
anonymizelogs = off
loglocation = '/var/log/e2guardian/access.log'
dstatlocation = '/var/log/e2guardian/dstats.log'
dstatinterval = 300  # = 5 minutes
statlocation = '/var/log/e2guardian/stats'
filterip = 192.168.1.1
filterip = 127.0.0.1
filterports = 8080
filterports = 8080
proxyip = 127.0.0.1
proxyport = 3128
proxytimeout = 30
proxyexchange = 20
pcontimeout = 55
usecustombannedimage = on
custombannedimagefile = '/usr/local/share/e2guardian/transparent1x1.gif'
usecustombannedflash = off
custombannedflashfile = '/usr/local/share/e2guardian/blockedflash.swf'
filtergroups = 1
filtergroupslist = '/usr/local/etc/e2guardian/lists/filtergroupslist'
bannediplist = '/usr/local/etc/e2guardian/lists/bannediplist'
exceptioniplist = '/usr/local/etc/e2guardian/lists/exceptioniplist'
perroomblockingdirectory = '/usr/local/etc/e2guardian/lists/bannedrooms/'
showweightedfound = on
urlcachenumber = 1000
urlcacheage =900
scancleancache = on
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = off
forcequicksearch = off
reverseaddresslookups = off
reverseclientiplookups = off
logclienthostnames = off
createlistcachefiles = on
prefercachedlists = off
maxcontentfiltersize = 256
maxcontentramcachescansize = 1000
maxcontentfilecachescansize = 2000
filecachedir = '/tmp'
deletedownloadedtempfiles = on
initialtrickledelay = 20
trickledelay = 20
downloadmanager = '/usr/local/etc/e2guardian/downloadmanagers/fancy.conf'
downloadmanager = '/usr/local/etc/e2guardian/downloadmanagers/trickle.conf'
downloadmanager = '/usr/local/etc/e2guardian/downloadmanagers/default.conf'
contentscannertimeout = 60
contentscanexceptions = off
recheckreplacedurls = off
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on
logsslerrors = off
logchildprocesshandling = off
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 10
maxsparechildren = 32
maxagechildren = 500
maxips = 0
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
ipipcfilename = '/tmp/.dguardianipipc'
nodaemon = off
nologger = off
logadblocks = off
loguseragent =
daemonuser = 'clamav'
daemongroup = 'nobody'
softrestart = on
cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'

Stewart

Looks like it was because I had both LAN and loopback selected.  You may want to remove the verbage of "Default: LAN/loopback".  For the other fields it states what is used when nothing is entered.  In this field you still need to select the Interface.

Cino

@Stewart:

Looks like it was because I had both LAN and loopback selected.  You may want to remove the verbage of "Default: LAN/loopback".  For the other fields it states what is used when nothing is entered.  In this field you still need to select the Interface.

I concur. You have to select only one interface (LAN) to get it to work. When loopback is also selected, it wont start. I haven't had a chance to test the different options other then installing and enabling it using default options.

Need to figure out an easy/clean way to convert my old Dansguardian config to E2guardian (within the config.xml)

marcelloc

@Cino:

Need to figure out an easy/clean way to convert my old Dansguardian config to E2guardian (within the config.xml)

Easy as renaming it on xml(except for some config change from dansguardian to e2guardian) but I can help with a php script if you want.

Stewart

FYI:

When I go to ACLs -> Antivirus, the lower menu bar disappears. 
When I go to ACLs -> Search Engine, Both menu bars disappear.

marcelloc

@Stewart:

FYI:

When I go to ACLs -> Antivirus, the lower menu bar disappears. 
When I go to ACLs -> Search Engine, Both menu bars disappear.

It's a missing div on pkg_edit.php I've updated on install script.

EDIT

to apply the fix/update manually, under system_patches package, create a new patch with this info

--- pkg_edit.orig.php        2017-04-05 16:25:04.960401000 +0000
+++ pkg_edit.php 2017-04-03 22:56:33.184313000 +0000
@@ -651,6 +651,7 @@
 if ($savehelp) {
        $savebutton->setHelp($savehelp);
 }
+?> $form = new Form($savebutton);

 $form->addGlobal(new Form_Input(

folder /usr/local/www/

Stewart

How do we download the blacklists for them to work?  On the Blacklist Tab I'm using http://www.shallalist.de/Downloads/shallalist.tar.gz as the Blacklist URL but when I go into the Default Site List and remove the "#" from in front of items on the list, e2guardian won't start.

I'm changing:
#.Include
to
.Include

and the error when starting is:

/root: /usr/local/etc/rc.d/e2guardian.sh start
kern.ipc.somaxconn: 16384 -> 16384
kern.maxfiles: 131072 -> 131072
kern.maxfilesperproc: 104856 -> 104856
kern.threads.max_threads_per_proc: 4096 -> 4096
Starting e2guardian.
Error reading file /usr/local/etc/e2guardian/lists/blacklists/adult/domains: No such file or directory
Error opening file: /usr/local/etc/e2guardian/lists/blacklists/adult/domains
Error reading: /usr/local/etc/e2guardian/lists/bannedsitelist.g_Default
Error opening bannedsitelist
Error opening filter group config: /usr/local/etc/e2guardian/e2guardianf1.conf
Error reading filter group conf file(s).
Error parsing the e2guardian.conf file or other e2guardian configuration files
/usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian

I'm guessing it's because the blacklist isn't really downloaded and applied.  I've tried changing the Update Frequency on the Blacklist Tab to Download and Update Now and I get an alert that says "E2guardian - Blacklist update process started" but I don't know how to see if it is doing anything.  After 20 minutes it still doesn't start if I uncomment the lines.

marcelloc

@Stewart:

How do we download the blacklists for them to work?

Select the option Download and update now, save, then back it to never or the update frequency You selected before.

I'll change it to a Download and update button soon to keep it easy to use.

Once it's downloaded and updated, I'll receive an system alert on gui.

Thanks for the feedback

Stewart

@marcelloc:

@Stewart:

FYI:

When I go to ACLs -> Antivirus, the lower menu bar disappears. 
When I go to ACLs -> Search Engine, Both menu bars disappear.

It's a missing div on pkg_edit.php I've updated on install script.

EDIT

to apply the fix/update manually, under system_patches package, create a new patch with this info

--- pkg_edit.orig.php        2017-04-05 16:25:04.960401000 +0000
+++ pkg_edit.php 2017-04-03 22:56:33.184313000 +0000
@@ -651,6 +651,7 @@
 if ($savehelp) {
        $savebutton->setHelp($savehelp);
 }
+?> $form = new Form($savebutton);

 $form->addGlobal(new Form_Input(

folder /usr/local/www/

Applying the patch gives me:

/usr/bin/patch --directory=/usr/local/www/ -t -p1 -i /var/patches/58e51d1fade80.patch --check --forward --ignore-whitespace

Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- pkg_edit.orig.php        2017-04-05 16:25:04.960401000 +0000
|+++ pkg_edit.php 2017-04-03 22:56:33.184313000 +0000
--------------------------
Patching file pkg_edit.php using Plan A...
Hunk #1 failed at 651.
1 out of 1 hunks failed while patching pkg_edit.php
done

Stewart

@marcelloc:

@Stewart:

How do we download the blacklists for them to work?

Select the option Download and update now, save, then back it to never or the update frequency You selected before.

I'll change it to a Download and update button soon to keep it easy to use.

Once it's downloaded and updated, I'll receive an system alert on gui.

Thanks for the feedback

Hmmm.  That's what I did.  I get the alert of "E2guardian - Blacklist update process started" but never one that it completes.  How can I see what's going on?

Stewart

@Stewart:

@marcelloc:

@Stewart:

How do we download the blacklists for them to work?

Select the option Download and update now, save, then back it to never or the update frequency You selected before.

I'll change it to a Download and update button soon to keep it easy to use.

Once it's downloaded and updated, I'll receive an system alert on gui.

Thanks for the feedback

Hmmm.  That's what I did.  I get the alert of "E2guardian - Blacklist update process started" but never one that it completes.  How can I see what's going on?

I just ran the Download and Update Now and shortly thereafter got 2 instances less than a minute apart of "E2guardianBlacklist applied, check site and URL access lists for categories", but it still gives me the same error.  I checked the folder structure and there is no /usr/local/etc/e2guardian/lists/blacklists/adult folder.  Do we need to manually edit the config file to match the directory structure?

EDIT:
The List in Config doesn't match the structure in /usr/local/etc/e2guardian/lists/blacklists/ at all.  Is that normal?

EDIT2:
Or I could just select from the Include box instead, like a normal person…

marcelloc

[quote]
.patch --check --forward --ignore-whitespace

Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- pkg_edit.orig.php        2017-04-05 16:25:04.960401000 +0000
|+++ pkg_edit.php 2017-04-03 22:56:33.184313000 +0000
--------------------------
Patching file pkg_edit.php using Plan A...
Hunk #1 failed at 651.
1 out of 1 hunks failed while patching pkg_edit.php
done
[/quote]

What pfSense version are you using?
I'm on 2.3.3

Cino

@marcelloc:

@Cino:

Need to figure out an easy/clean way to convert my old Dansguardian config to E2guardian (within the config.xml)

Easy as renaming it on xml(except for some config change from dansguardian to e2guardian) but I can help with a php script if you want.

I ran into some errors over the weekend when I tried it. I need to take another look and try again. I did rename everything from that had danguardian using find/replace. This time, I'll just focus on the ACL, Groups, IPs sections of the XML.

Thank you for the offer, I think Im good for now unless there is a need for it by the community

Stewart

So, it appears to be working if I set a computer to proxy at port 8080 but not when passed to Squid transparently.  From your previous response I see the IP and port should be defined on the Daemon tab but that appears to already be set properly by default and the config file shows proxyip=127.0.0.1 and proxyport=3128.  On the General tab I've tried several options and combinations for Auth Plugins but it doesn't seem to be filtering through Squid.

Squid is running on port 3128 with all boxes in advanced being empty.  Would it matter that I still have Squidguard installed but disabled?

Stewart

@marcelloc:

[quote]
.patch --check --forward --ignore-whitespace

Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- pkg_edit.orig.php        2017-04-05 16:25:04.960401000 +0000
|+++ pkg_edit.php 2017-04-03 22:56:33.184313000 +0000
--------------------------
Patching file pkg_edit.php using Plan A...
Hunk #1 failed at 651.
1 out of 1 hunks failed while patching pkg_edit.php
done
[/quote]

What pfSense version are you using?
I'm on 2.3.3

2.3.3-RELEASE-p1 (amd64)
built on Thu Mar 09 07:17:41 CST 2017
FreeBSD 10.3-RELEASE-p17

It doesn't bother me all that much.  I can make the change manually.  It was more for your benefit so that you could get it fixed for future installs.

marcelloc

@Stewart:

It doesn't bother me all that much.  I can make the change manually.  It was more for your benefit so that you could get it fixed for future installs.

Sure. I'll test all install process(including blacklist) on a 2.3.3_p1 version too.

marcelloc

@Stewart:

Hmmm.  That's what I did.  I get the alert of "E2guardian - Blacklist update process started" but never one that it completes.  How can I see what's going on?

/usr/local/www/e2guardian.php fetch_blacklist 

This is the script that fetches and apply the blacklist.

Stewart

Awesome, thanks!  Now that it seems to be working, any advice on getting it to work with Squid transparently?

marcelloc

@Stewart:

Awesome, thanks!  Now that it seems to be working, any advice on getting it to work with Squid transparently?

Dansguardian as two work modes.

The sandwich mode, where there is a squid -> e2guardian -> tinyproxy or any other cache

Or the starndard mode where it stays in front of squid or any other cache and try to forward client authentication requests

What mode are you using?

E2guardian transparent mode while in front of squid is setup manually, creating a nat rule pointing to its listening port.