Unofficial E2guardian package for pfSense
-
1. Is E2Guardian a replacement for squidguard or squid ?
Full replacement for squidguard with more features.
2. Do I need to install Squid package if I use E2Guardian ?
If you do not need authentication or just ip authentication and no transparent proxy for ssl then you need only e2guardian package
l
3. If I need to install Squid package, do I need to enable the Transparent proxy and SSL MITM Filtering in Squid Proxy configuration ?If you plan to transparent proxy ssl, then you need to enable splice all and configure cache peer to send traffic to e2guardian.
-
Hi Marcelloc
I appreciate all the work you are doing with e2guardian. I have be playing for awhile and I finally got it working.
I am a novice with pfsense so it took me awhile to figure some things out. One thing I seemed to have a problem with is file permissions. Even when I install e2guardian on a fresh installed pfsense, there where file permission problems. One was the log file and the other was the directory where temp ssl certs where stored, not sure if I am saying this correctly or not. After I figured out how to change file and directory permissions I got everythinf to work. I am using MITM filtering by the way.
So for what ever it is worth. GREAT WORK MARCELLOC! :) -
Hey Marcello,
I'm sure you missed me. :P
Can you please look into caching content that E2Guardian has MITM'd? Using Squid directly doesn't seem to work due to them not using SAN on forged certificates. If you could add a workaround that would be amazing, for now and the future. Because for now even with MITM turned on, via E2Guardian, I have only been able to make Squid cache HTTP content, not HTTPS.
This makes caching slightly redundant as most websites have or are moving to HTTPS.
You you understand,
Thanks bro :)
PS: Be proud of urself, I am planning to deploy E2Guardian in a Charity Organisation! However… I am still waiting on that bug with blacklisted sites not showing category to be fixed. Thanks again for porting this over to pfSense, and keeping everything free, accessible and open source!
-
Did you configured it in sandwich mode?
Squid package +Splice all + transparent proxy + cache peer -> e2guardian with no nat redirect -> automatic parent.
-
Did you configured it in sandwich mode?
Squid package +Splice all + transparent proxy + cache peer -> e2guardian with no nat redirect -> automatic parent.
Can you provide some screenshots with these configuration?
-
Can you provide some screenshots with these configuration?
Configure e2guardian with automatic mode and watchdog
Then follow this post to configure squid in transparent mode with splice all and custom options to forward traffic to e2guardian.
https://forum.pfsense.org/index.php?topic=128116.msg730725#msg730725
EDIT
This is a tutorial in Portuguese with basic setup instructions and some screenshots
https://eliasmoraispereira.wordpress.com/2017/06/21/pfsense-proxy-transparente-mitm-no-modo-splice-all-com-squid-e2guardian/
-
Can you provide some screenshots with these configuration?
Configure e2guardian with automatic mode and watchdog
Then follow this post to configure squid in transparent mode with splice all and custom options to forward traffic to e2guardian.
https://forum.pfsense.org/index.php?topic=128116.msg730725#msg730725
EDIT
This is a tutorial in Portuguese with basic setup instructions and some screenshots
https://eliasmoraispereira.wordpress.com/2017/06/21/pfsense-proxy-transparente-mitm-no-modo-splice-all-com-squid-e2guardian/
But that link says is to filter without MITM. I want to filter with mitm and be able to activate squid cache for http and https.
-
Do not enable MITM for transparent proxy users with a group on e2guardian and keep it intercepting for WPAD/configured users.
-
Do not enable MITM for transparent proxy users with a group on e2guardian and keep it intercepting for WPAD/configured users.
I am confused.
I know I cant use mitm in transparent mode but you keep recommending to use squid in transparent mode splice-all to protect e2g from bad form ssl sites because e2g still crashes very often without it.
And now your still recommending to use this mode to be able to use squid cache features for https sites.
So I am concluding that e2g content filtering for https is not available as this wont work with squid cache nor squid splice-all protection.
-
Do not enable MITM for transparent proxy users with a group on e2guardian and keep it intercepting for WPAD/configured users.
I am confused.
I know I cant use mitm in transparent mode but you keep recommending to use squid in transparent mode splice-all to protect e2g from bad form ssl sites because e2g still crashes very often without it.
And now your still recommending to use this mode to be able to use squid cache features for https sites.
So I am concluding that e2g content filtering for https is not available as this wont work with squid cache nor squid splice-all protection.
I'm having the same experience Jetberrocal. Thought it was me not understanding.
However I wanted to add a couple things, won't Squid MITM interfere with E2Guardian? I tried this once and Squid couldn't even give usable forged certificates. It wasn't setting SUBJECT ALTERNATIVE Name and I was unable to browse https sites.
OH, and YES MITM can be used transparently. However the certificate will still need to be installed, I've seen it on smoothwall. I am able to just install the certificate and browse without messing with proxy settings or wpad.
My idea was actually to get all devices in the home using mitm, and all guests using non mitm filtering. -
The squid daemon after e2guardian protects it from crashing. This is one point that I do not recommend disabling (automatic mode) until we identify and open an issue on e2guardian project.
This will cover almost all configuration together with wpad.
Any extra configuration can be done together with this initial setup.
For basic squid authentication methods that e2guardian is able to handle (according to it's documentation) can be configured replacing automatic parent with squid package behind e2guardian (keeping ssl on with splice all mode)
For transparent proxy setups, e2guardian MITM cannot be used because this feature is not implemented yet(will be on 5.0). If you need transparent mode for http and https, use squid with splice all from squid package. In this setup, you can use e2guardian acls configuring squid to send connections to it after transparent rules get client connection.
Caching is something IMHO useless with most web content dynamic but squid memory cache is something that I still Configure on both squids (automatic parent or squid package)
Hope I could make myself clear about proxy features and configuration using e2guardian package.
-
I am still waiting on that bug with blacklisted sites not showing category to be fixed. Thanks again for porting this over to pfSense, and keeping everything free, accessible and open source!
Found how to show it. Each blacklist file needs the listcategory definition inside it. Editing /usr/local/etc/e2guardian/lists/blacklists/porn/domains and including #listcategory: "Porn Banned Sites" shows the category on block page.
The default shallalist doesn't has it ou their files. I'll workaround it during apply config or blacklist fetch.
![site category.PNG](/public/imported_attachments/1/site category.PNG)
![site category.PNG_thumb](/public/imported_attachments/1/site category.PNG_thumb) -
I am still waiting on that bug with blacklisted sites not showing category to be fixed. Thanks again for porting this over to pfSense, and keeping everything free, accessible and open source!
Found how to show it. Each blacklist file needs the listcategory definition inside it. Editing /usr/local/etc/e2guardian/lists/blacklists/porn/domains and including #listcategory: "Porn Banned Sites" shows the category on block page.
The default shallalist doesn't has it ou their files. I'll workaround it during apply config or blacklist fetch.
Awesome if you can properly add this. I can improve my block page further and push it out on Github.
I'm realising one big problem, every five days my pfSense just crashes. This has happened for the second time now. Squid is on splice all, I don't understand why. 4.1 E2G is giving me such a love and hate relationship with it. But even then it's way better than Squid Guard, which is shocking.
-
The system crash maybe related to memory or system resources exhausted. The crash I'm getting without splice all are just daemon Segmentation fault.
Try to "refresh" process every two days for example with a script on cron and see if these dumps stop happening.
-
The system crash maybe related to memory or system resources exhausted. The crash I'm getting without splice all are just daemon Segmentation fault.
Try to "refresh" process every two days for example with a script on cron and see if these dumps stop happening.
The max my entire memory usage goes to is 50% average 20% on top of that cpu utilisation is very low. Usually 0.20 load average on a multi core processor.
Also I decreased HTTP workers after last time to 200. I don't think it's a utilisation problem at all, because it happens only after 5 days always.
-
Hmm what happened to this thread? :o
Marcelloc, I'm considering reinstalling everything and starting from scratch. I really don't know what's going on, since I installed E2guardian 4. I'm getting sudden crashes, dhcp stops working. It's really doing my head in. Can I take a backup of my setup, and reinstall pfsense then restore it? I'm asking this again because obviously WPAD and E2guardian packages are both on your unofficial repo.
Also if I restore, I can use the existing certificates right? No need to generate new ones.
Edit : I've tried running a couple fsck's still no joy.
-
With the xml backup, you can restore everything.
Before you restore the backup, enable the Unofficial repo.
Do you have another hardware to test?
-
With the xml backup, you can restore everything.
Before you restore the backup, enable the Unofficial repo.
Do you have another hardware to test?
No I haven't got other hardware to test, but I may try in a VM.
I am getting this if I try updating via console :
pkg: Repository Unofficial load error: access repo file(/var/db/pkg/repo-Unofficial.sqlite) failed: No such file or directoryI tried reinstalling the repo. That seemed to fix it.
Is E2Guardian really working perfectly for you and fully stable?
-
I got to a point where the constant crashes got so annoying. I completely backed up everything via the webUi on pfSense, then reinstalled pfSense. Once reinstalled, I clicked through the installer, enabled the unofficial repository, restored my backup.
And now we're back to square one, I am beginning to think E2Guardian is really messed up. And it has nothing to do with me having corrupt files or anything like that.
To begin with, E2Guardian isn't even starting, and yes I got the blacklist…
Jul 17 14:05:45 php-fpm 14191 /pkg_edit.php: Starting E2guardian Jul 17 14:05:46 php-fpm 27416 /pkg_edit.php: Restarting e2g by sending -Q action to e2g binaries Jul 17 14:05:50 e2guardian 27174 Error opening/creating log file. (check ownership and access rights). Jul 17 14:05:50 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:05:50 php-fpm 14191 /pkg_edit.php: The command '/usr/local/etc/rc.d/e2guardian.sh start' returned exit code '1', the output was 'kern.ipc.somaxconn: 16384 -> 16384 kern.maxfiles: 131072 -> 131072 kern.maxfilesperproc: 104856 -> 104856 kern.threads.max_threads_per_proc: 20480 -> 20480 Starting e2guardian. Error opening/creating log file. (check ownership and access rights). I am running as clamav and I am trying to open /var/log/e2guardian/access.log /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian' Jul 17 14:05:51 e2guardian 27743 Error opening/creating log file. (check ownership and access rights). Jul 17 14:05:55 e2guardian 28982 Error opening/creating log file. (check ownership and access rights). Jul 17 14:05:55 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:06:15 check_reload_status Syncing firewall Jul 17 14:06:20 php /etc/rc.packages: Beginning package installation for E2guardian4 . Jul 17 14:06:20 check_reload_status Syncing firewall Jul 17 14:06:20 php /etc/rc.packages: [E2guardian] - Save settings package call pr: bp:1 rpc:no Jul 17 14:06:20 check_reload_status Syncing firewall Jul 17 14:06:21 php /etc/rc.packages: [E2guardian] - Save settings package call pr: bp:1 rpc:no
Time Process PID Message Jul 17 14:06:57 check_reload_status Syncing firewall Jul 17 14:07:02 e2guardian 68196 Error opening/creating log file. (check ownership and access rights). Jul 17 14:07:02 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:07:05 e2guardian 70947 Error opening/creating log file. (check ownership and access rights). Jul 17 14:07:05 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:07:19 e2guardian 1958 Error opening/creating log file. (check ownership and access rights). Jul 17 14:07:19 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:07:34 e2guardian 6191 Error opening/creating log file. (check ownership and access rights). Jul 17 14:07:34 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:07:49 e2guardian 8308 Error opening/creating log file. (check ownership and access rights). Jul 17 14:07:49 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:08:04 e2guardian 10433 Error opening/creating log file. (check ownership and access rights). Jul 17 14:08:04 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:08:05 e2guardian 13336 Error opening/creating log file. (check ownership and access rights). Jul 17 14:08:05 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:08:19 e2guardian 43872 Error opening/creating log file. (check ownership and access rights). Jul 17 14:08:19 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:08:20 e2guardian 45145 Error opening/creating log file. (check ownership and access rights). Jul 17 14:08:20 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:08:34 e2guardian 51342 Error opening/creating log file. (check ownership and access rights). Jul 17 14:08:34 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:08:49 e2guardian 53350 Error opening/creating log file. (check ownership and access rights). Jul 17 14:08:49 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:09:04 e2guardian 55584 Error opening/creating log file. (check ownership and access rights). Jul 17 14:09:04 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:09:04 e2guardian 58324 Error opening/creating log file. (check ownership and access rights). Jul 17 14:09:05 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:09:12 php-fpm 59986 /pkg_edit.php: Starting E2guardian Jul 17 14:09:12 php-fpm 91139 /pkg_edit.php: Restarting e2g by sending -Q action to e2g binaries Jul 17 14:09:22 e2guardian 91549 Error opening/creating log file. (check ownership and access rights). Jul 17 14:09:22 e2guardian 90889 Error opening/creating log file. (check ownership and access rights). Jul 17 14:09:22 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian
Jul 17 14:16:58 php-fpm 33206 /pkg_edit.php: Starting E2guardian Jul 17 14:16:59 php-fpm 57665 /pkg_edit.php: Restarting e2g by sending -Q action to e2g binaries Jul 17 14:17:00 php-fpm 61687 /pkg_edit.php: Restarting e2g by sending -Q action to e2g binaries Jul 17 14:17:08 e2guardian 57477 Error opening/creating log file. (check ownership and access rights). Jul 17 14:17:08 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jul 17 14:17:08 php-fpm 33206 /pkg_edit.php: The command '/usr/local/etc/rc.d/e2guardian.sh start' returned exit code '1', the output was 'kern.ipc.somaxconn: 16384 -> 16384 kern.maxfiles: 131072 -> 131072 kern.maxfilesperproc: 104856 -> 104856 kern.threads.max_threads_per_proc: 20480 -> 20480 Starting e2guardian. Error opening/creating log file. (check ownership and access rights). I am running as clamav and I am trying to open /var/log/e2guardian/access.log /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian
Marcello, PLEASE HELP ME GET THE DAMN THING WORKING AT A STABLE LEVEL AGAIN. I was extremely happy with E2Guardian 3.5.1, yes it had a few hiccups but nothing as bad as the entire service not starting or it causing kernel panics…
PS: For the record, I also tried on a VM. Same problem, so there is defintely something messed up. Please look into it, I believe even others lost interest in this after battling it so long.
-
Change log folder permissions to fix 'Error opening/creating log '
chmod 755 /var/log/e2guardian
This is already fixed on the repository but I did not had time to build the package with the fix.
https://github.com/marcelloc/Unofficial-pfSense-packages/commit/6d05335a361b0728c92d58f702c59942f929223a
https://github.com/marcelloc/Unofficial-pfSense-packages/commit/87f7d85500cfc9fd727755caf0af0f048dc33c47