Unofficial E2guardian package for pfSense
-
Version 5 can really be scaled both horizontally and vertically.
I have a box with 15k working process running really nice.
Amazing work e2guardian team did on it.
-
Version 5 can really be scaled both horizontally and vertically.
I have a box with 15k working process running really nice.
Amazing work e2guardian team did on it.
You're right. I just jumped in today, taking extra precautions. I cloned my pfSense VM twice and then jumped in. So far the transparent proxy is working brilliantly and exactly how I wanted it. I've got my pfSense box entirely virtualised in ESXi and it's running brilliantly so far at home. Hopefully it continues to run stable, I've got it running under Squid for some light caching. In addition to this, when changing the settings around in the GUI, E2Guardian no longer lags or locks up like 4.1, it applies the config nearly instantly and is back up and running.
@Marcelloc could we add some filters to the logs? It would be really useful to go through denied websites based on groups, logs, times and categories. And would help tune E2Guardian better.
-
Here are install instructions for UNOFFICIAL e2guardian package for pfSense(R) software 2.3.x
Install
You can enable Unoffical repo creating or downloading the file below using diagnostics -> command prompt -> Execute Shell Command prompt menu:2.3 AMD64
fetch -q -o /usr/local/etc/pkg/repos/Unofficial.conf https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/Unofficial.conf
2.3 I386
fetch -q -o /usr/local/etc/pkg/repos/Unofficial.conf https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/Unofficiali386.conf
2.4
fetch -q -o /usr/local/etc/pkg/repos/Unofficial.conf https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/Unofficial.24.conf
After fetching the repo file, you can see these packages under System -> Package Manager
Without enabling Unofficial repo, you can add it using console/ssh with
cd /root fetch https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/pkg-e2guardian/files/install_e2guardian_23.sh sh ./install_e2guardian_23.sh
E2guardian requires a cache/upstream server , so if you do not want to use squid together with e2guardian, point e2guardian proxy configuration to 127.0.0.1 port 8888 to use tinyproxy cache server instead.
http://www.shallalist.de/Downloads/shallalist.tar.gz is one of compatible blacklists for e2guardian. Configure it under blacklist tab.
Once it finishes, all must be in place. If you do not see the menu after it finishes, try to install any pfSense package from GUI, like cron for example.
WARNING
Use it at your own risk.
This script install packages from freebsd and change your config file.
Excellent , i think this is the only i can block based on Page content , am right or wrong ?
-
Excellent , i think this is the only i can block based on Page content , am right or wrong ?
Right !
-
Hello Marcello
The e2 guardian does not work after the pfsense firewall is restarted.
e2Guardian from the interface does not work without pressing the save and apply button.
Do you have a solution? -
Hello Marcello
The e2 guardian does not work after the pfsense firewall is restarted.
e2Guardian from the interface does not work without pressing the save and apply button.
Do you have a solution?Have you got the blacklist downloaded and the watch dog turned on? Turning on the watchdog should make sure that E2guardian is running.
-
Hello Marcello
The e2 guardian does not work after the pfsense firewall is restarted.
e2Guardian from the interface does not work without pressing the save and apply button.
Do you have a solution?Have you got the blacklist downloaded and the watch dog turned on? Turning on the watchdog should make sure that E2guardian is running.
I have same problem also.
I tried watch dog it doesnt work for this issue.
The problem is when you restart your pfsense its going to show to you : APPLY CHANGES.
If i will not apply it , it wont be work.
I have to apply every after restart pfsense
I can send you picture what he need : http://prntscr.com/iu6tr5
-
Hello Marcello
The e2 guardian does not work after the pfsense firewall is restarted.
e2Guardian from the interface does not work without pressing the save and apply button.
Do you have a solution?Have you got the blacklist downloaded and the watch dog turned on? Turning on the watchdog should make sure that E2guardian is running.
I have same problem also.
I tried watch dog it doesnt work for this issue.
The problem is when you restart your pfsense its going to show to you : APPLY CHANGES.
If i will not apply it , it wont be work.
I have to apply every after restart pfsense
I can send you picture what he need : http://prntscr.com/iu6tr5
You're right. i've been having this from the start, but it's one of those things that didn't really bother me too much because it only occurs when you do a full restart. pfSense is not really something you need to restart often at all, furthermore, I somehow managed to get it to auto startup using a combination of Service watchdog from the package manager and E2G's own watchdog. This way, after a reboot, I still get the prompt to save the configurations, but it still starts up the service automatically and everything seems to work as normal.
@Marcelloc, I'm having problems with Regex for enforcing Youtube Restricted. Do you use this on your network? Anyone else here using it? It seemed to be working fine on 4.1, but on v5, that's stopped working. I've yet to pin down if its a change Youtube made on their end or if its E2G for sure.
The below is what I'm using for YouTube:
# Enforce restricted mode in YouTube # "(^https://www.youtube.com)"->"https://restrict.youtube.com" "(^https://m.youtube.com)"->"https://restrict.youtube.com" "(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com" "(^https://youtube.googleapis.com)"->"https://restrict.youtube.com" "(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com" #
-
s to work as normal.
@Marcelloc, I'm having problems with Regex for enforcing Youtube Restricted. Do you use this on your network? Anyone else here using it? It seemed to be working fine on 4.1, but on v5, that's stopped working. I've yet to pin down if its a change Youtube made on their end or if its E2G for sure.
The below is what I'm using for YouTube:
# Enforce restricted mode in YouTube # "(^https://www.youtube.com)"->"https://restrict.youtube.com" "(^https://m.youtube.com)"->"https://restrict.youtube.com" "(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com" "(^https://youtube.googleapis.com)"->"https://restrict.youtube.com" "(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com" #
Acls on v5 has changed a lot. I'll put it on my check list to do as soon as possible
-
s to work as normal.
@Marcelloc, I'm having problems with Regex for enforcing Youtube Restricted. Do you use this on your network? Anyone else here using it? It seemed to be working fine on 4.1, but on v5, that's stopped working. I've yet to pin down if its a change Youtube made on their end or if its E2G for sure.
The below is what I'm using for YouTube:
# Enforce restricted mode in YouTube # "(^https://www.youtube.com)"->"https://restrict.youtube.com" "(^https://m.youtube.com)"->"https://restrict.youtube.com" "(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com" "(^https://youtube.googleapis.com)"->"https://restrict.youtube.com" "(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com" # Acls on v5 has changed a lot. I'll put it on my check list to do as soon as possible
Hi Marcello,
Thanks for your reply. Is this something that's just affecting the pfSense package you've made? I've raised it on Github so I'd be glad if you could provide some input there: https://github.com/e2guardian/e2guardian/issues/365
-
Thanks for your reply. Is this something that's just affecting the pfSense package you've made? I've raised it on Github so I'd be glad if you could provide some input there: https://github.com/e2guardian/e2guardian/issues/365
I guess yes. A lot of acls code needs to be reviewed to match v5 configuration style.
It's better if we can first confirm if it's a gui code issue or a binary issue before creating a ticket on e2guardian project.
-
I think the config xml is broken when it restarts
or embedded squid does not start
works with save and applly
service watchdog does not solve the problem
Is there a custom configuration?
Could you please look into this problem -
Thanks for your reply. Is this something that's just affecting the pfSense package you've made? I've raised it on Github so I'd be glad if you could provide some input there: https://github.com/e2guardian/e2guardian/issues/365
I guess yes. A lot of acls code needs to be reviewed to match v5 configuration style.
It's better if we can first confirm if it's a gui code issue or a binary issue before creating a ticket on e2guardian project.
Sure, I'll be glad if you could have a look when you have time. I've closed the issue on the E2Guardian Project page on GitHub for now until we can confirm where the problem is. Furthermore, Philip did push out some extra fixes/updates so we need to rebuild the binaries anyways.
-
I think the config xml is broken when it restarts
or embedded squid does not start
works with save and applly
service watchdog does not solve the problem
Is there a custom configuration?
Could you please look into this problemExcept if you need custom squid configuration on this parent daemon, select direct mode on e2guardian config.
-
Parent mode: direct connect selected
pfsense restarting filtering is not working
I click on save and apply
working -
E2guardian works, thank you
How come we can't make SSL bump to work with Squid+SquidGuard, making it cripple SSL on google etc., but here it works fine?
Can this be made an official module already?
-
How come we can't make SSL bump to work with Squid+SquidGuard, making it cripple SSL on google etc., but here it works fine?
With e2guardian you can do both (filter ssl and intercept ssl), just like bump all and splice all on squid. You do not need squidguard in any way while working with e2guardiand. It's a full replacement with an age of improvements. Squid is optional too as e2guardian v5 doesn't need a parent proxy.
Can this be made an official module already?
It still need some work before it.
-
@marcelloc yes, all I am saying is that whatever version and setting of Squid is on Pfsense so far - SSL peek and splice doesn't work. So either Alex Rousskov did a bad job, which I doubt, or Squid module for pfsense is junk
Is it e2guardian needs more work or the package?
-
Is it e2guardian needs more work or the package?
Yes, config files and acls has changed a lot between version 4 and 5. I did a working around for many files to release first v5 package.
-
E2guardian works, thank you
How come we can't make SSL bump to work with Squid+SquidGuard, making it cripple SSL on google etc., but here it works fine?
Can this be made an official module already?
SquidGuard is a broken piece of garbage. It's not even in the same league as E2guardian therefore it shouldn't be compared. Last time I used SquidGuard, it couldn't even generate the fake certs correctly therefore leading to browsers not trusting it correctly. And causing more pain than its worth. I did see that a few community members tried to update it somewhat but the code was so bad they ended up giving up.
I'm really just waiting for the pfSense team to deprecate it and remove it from their official repo. E2guardian is a much better, modern and now more stable filtering tool. And it has the proper ability to actually "look" inside a Web page to deem if it's safe or not. Basic URL blocking as you get with SquidGuard is no longer effective as new sites emerge everyday.
If you're looking for a modern and great filtering tool. I wholeheartedly recommend E2 Guardian. With tweaking and updated phraselists it has the ability to knock everything else out the water. This package is still a work in progress and Marcello has done a great job bringing it to pfSense. Certain kinks will need to be worked out over time, such as AV and whatnot and then hopefully one day we can see this on the official repo.