Unofficial E2guardian package for pfSense

MR-NT

@marcelloc:

Here are install instructions for UNOFFICIAL e2guardian package for pfSense(R) software 2.3.x

Install
You can enable Unoffical repo creating or downloading the file below using diagnostics -> command  prompt -> Execute Shell Command prompt menu:

2.3 AMD64

fetch -q -o /usr/local/etc/pkg/repos/Unofficial.conf https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/Unofficial.conf

2.3 I386

fetch -q -o /usr/local/etc/pkg/repos/Unofficial.conf https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/Unofficiali386.conf

2.4

fetch -q -o /usr/local/etc/pkg/repos/Unofficial.conf https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/Unofficial.24.conf

After fetching the repo file, you can see these packages under System -> Package Manager

Without enabling Unofficial repo, you can add it using console/ssh with

cd /root
fetch https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/pkg-e2guardian/files/install_e2guardian_23.sh
sh ./install_e2guardian_23.sh

E2guardian requires a cache/upstream server , so if you do not want to use squid together with e2guardian, point e2guardian proxy configuration to 127.0.0.1 port 8888 to use tinyproxy cache server instead.

http://www.shallalist.de/Downloads/shallalist.tar.gz is one of compatible blacklists for e2guardian. Configure it under blacklist tab.

Once it finishes, all must be in place. If you do not see the menu after it finishes, try to install any pfSense package from GUI, like cron for example.

WARNING

Use it at your own risk.

This script install packages from freebsd and change your config file.

Excellent , i think this is the only i can block based on Page content , am right or wrong ?

marcelloc

@MR-NT:

Excellent , i think this is the only i can block based on Page content , am right or wrong ?

Right !

susamlicubuk

Hello Marcello
The e2 guardian does not work after the pfsense firewall is restarted.
e2Guardian from the interface does not work without pressing the save and apply button.
Do you have a solution?

pfsensation

@susamlicubuk:

Hello Marcello
The e2 guardian does not work after the pfsense firewall is restarted.
e2Guardian from the interface does not work without pressing the save and apply button.
Do you have a solution?

Have you got the blacklist downloaded and the watch dog turned on? Turning on the watchdog should make sure that E2guardian is running.

GoldenShark

@pfsensation:

@susamlicubuk:

Hello Marcello
The e2 guardian does not work after the pfsense firewall is restarted.
e2Guardian from the interface does not work without pressing the save and apply button.
Do you have a solution?

Have you got the blacklist downloaded and the watch dog turned on? Turning on the watchdog should make sure that E2guardian is running.

I have same problem also.

I tried watch dog it doesnt work for this issue.

The problem is when you restart your pfsense its going to show to you : APPLY CHANGES.

If i will not apply it , it wont be work.

I have to apply every after restart pfsense

I can send you picture what he need : http://prntscr.com/iu6tr5

pfsensation

@GoldenShark:

@pfsensation:

@susamlicubuk:

Hello Marcello
The e2 guardian does not work after the pfsense firewall is restarted.
e2Guardian from the interface does not work without pressing the save and apply button.
Do you have a solution?

Have you got the blacklist downloaded and the watch dog turned on? Turning on the watchdog should make sure that E2guardian is running.

I have same problem also.

I tried watch dog it doesnt work for this issue.

The problem is when you restart your pfsense its going to show to you : APPLY CHANGES.

If i will not apply it , it wont be work.

I have to apply every after restart pfsense

I can send you picture what he need : http://prntscr.com/iu6tr5

You're right. i've been having this from the start, but it's one of those things that didn't really bother me too much because it only occurs when you do a full restart. pfSense is not really something you need to restart often at all, furthermore, I somehow managed to get it to auto startup using a combination of Service watchdog from the package manager and E2G's own watchdog. This way, after a reboot, I still get the prompt to save the configurations, but it still starts up the service automatically and everything seems to work as normal.

@Marcelloc, I'm having problems with Regex for enforcing Youtube Restricted. Do you use this on your network? Anyone else here using it? It seemed to be working fine on 4.1, but on v5, that's stopped working. I've yet to pin down if its a change Youtube made on their end or if its E2G for sure.

The below is what I'm using for YouTube:

# Enforce restricted mode in YouTube
#
"(^https://www.youtube.com)"->"https://restrict.youtube.com"
"(^https://m.youtube.com)"->"https://restrict.youtube.com"
"(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com"
"(^https://youtube.googleapis.com)"->"https://restrict.youtube.com"
"(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com"
#

marcelloc

@pfsensation:

s to work as normal.

@Marcelloc, I'm having problems with Regex for enforcing Youtube Restricted. Do you use this on your network? Anyone else here using it? It seemed to be working fine on 4.1, but on v5, that's stopped working. I've yet to pin down if its a change Youtube made on their end or if its E2G for sure.

The below is what I'm using for YouTube:

# Enforce restricted mode in YouTube
#
"(^https://www.youtube.com)"->"https://restrict.youtube.com"
"(^https://m.youtube.com)"->"https://restrict.youtube.com"
"(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com"
"(^https://youtube.googleapis.com)"->"https://restrict.youtube.com"
"(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com"
#

Acls on v5 has changed a lot. I'll put it on my check list to do as soon as possible

pfsensation

@marcelloc:

@pfsensation:

s to work as normal.

@Marcelloc, I'm having problems with Regex for enforcing Youtube Restricted. Do you use this on your network? Anyone else here using it? It seemed to be working fine on 4.1, but on v5, that's stopped working. I've yet to pin down if its a change Youtube made on their end or if its E2G for sure.

The below is what I'm using for YouTube:

# Enforce restricted mode in YouTube
#
"(^https://www.youtube.com)"->"https://restrict.youtube.com"
"(^https://m.youtube.com)"->"https://restrict.youtube.com"
"(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com"
"(^https://youtube.googleapis.com)"->"https://restrict.youtube.com"
"(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com"
#

Acls on v5 has changed a lot. I'll put it on my check list to do as soon as possible

Hi Marcello,

Thanks for your reply. Is this something that's just affecting the pfSense package you've made? I've raised it on Github so I'd be glad if you could provide some input there: https://github.com/e2guardian/e2guardian/issues/365

marcelloc

@pfsensation:

Thanks for your reply. Is this something that's just affecting the pfSense package you've made? I've raised it on Github so I'd be glad if you could provide some input there: https://github.com/e2guardian/e2guardian/issues/365

I guess yes. A lot of acls code needs to be reviewed to match v5 configuration style.

It's better if we can first confirm if it's a gui code issue or a binary issue before creating a ticket on e2guardian project.

susamlicubuk

I think the config xml is broken when it restarts
or embedded squid does not start
works with save and applly
service watchdog does not solve the problem
Is there a custom configuration?
Could you please look into this problem

pfsensation

@marcelloc:

@pfsensation:

Thanks for your reply. Is this something that's just affecting the pfSense package you've made? I've raised it on Github so I'd be glad if you could provide some input there: https://github.com/e2guardian/e2guardian/issues/365

I guess yes. A lot of acls code needs to be reviewed to match v5 configuration style.

It's better if we can first confirm if it's a gui code issue or a binary issue before creating a ticket on e2guardian project.

Sure, I'll be glad if you could have a look when you have time. I've closed the issue on the E2Guardian Project page on GitHub for now until we can confirm where the problem is. Furthermore, Philip did push out some extra fixes/updates so we need to rebuild the binaries anyways.

marcelloc

@susamlicubuk:

I think the config xml is broken when it restarts
or embedded squid does not start
works with save and applly
service watchdog does not solve the problem
Is there a custom configuration?
Could you please look into this problem

Except if you need custom squid configuration on this parent daemon, select direct mode on e2guardian config.

susamlicubuk

Parent mode: direct connect selected
pfsense restarting filtering is not working
I click on save and apply
working

lavd

E2guardian works, thank you

How come we can't make SSL bump to work with Squid+SquidGuard, making it cripple SSL on google etc., but here it works fine?

Can this be made an official module already?

marcelloc

@lavd:

How come we can't make SSL bump to work with Squid+SquidGuard, making it cripple SSL on google etc., but here it works fine?

With e2guardian you can do both (filter ssl and intercept ssl), just like bump all and splice all on squid. You do not need squidguard in any way while working with e2guardiand. It's a full replacement with an age of improvements. Squid is optional too as e2guardian v5 doesn't need a parent proxy.

@lavd:

Can this be made an official module already?

It still need some work before it.

lavd

@marcelloc yes, all I am saying is that whatever version and setting of Squid is on Pfsense so far - SSL peek and splice doesn't work. So either Alex Rousskov did a bad job, which I doubt, or Squid module for pfsense is junk

Is it e2guardian needs more work or the package?

marcelloc

@lavd:

Is it e2guardian needs more work or the package?

Yes, config files and acls has changed a lot between version 4 and 5. I did a working around for many files to release first v5 package.

pfsensation

@lavd:

E2guardian works, thank you

How come we can't make SSL bump to work with Squid+SquidGuard, making it cripple SSL on google etc., but here it works fine?

Can this be made an official module already?

SquidGuard is a broken piece of garbage. It's not even in the same league as E2guardian therefore it shouldn't be compared. Last time I used SquidGuard, it couldn't even generate the fake certs correctly therefore leading to browsers not trusting it correctly. And causing more pain than its worth. I did see that a few community members tried to update it somewhat but the code was so bad they ended up giving up.

I'm really just waiting for the pfSense team to deprecate it and remove it from their official repo. E2guardian is a much better, modern and now more stable filtering tool. And it has the proper ability to actually "look" inside a Web page to deem if it's safe or not. Basic URL blocking as you get with SquidGuard is no longer effective as new sites emerge everyday.

If you're looking for a modern and great filtering tool. I wholeheartedly recommend E2 Guardian. With tweaking and updated phraselists it has the ability to knock everything else out the water. This package is still a work in progress and Marcello has done a great job bringing it to pfSense. Certain kinks will need to be worked out over time, such as AV and whatnot and then hopefully one day we can see this on the official repo.

pfsensation

@marcelloc:

@lavd:

Is it e2guardian needs more work or the package?

Yes, config files and acls has changed a lot between version 4 and 5. I did a working around for many files to release first v5 package.

How is the progress coming along with those config files? I'm eagerly waiting to get my regex working again to enforce restricted mode for certain groups.

I am also planning on releasing some configs to speed up the setup process of E2guardian. Just waiting for you to get the package all up to date with v5 changes and my work to give me some more free time.

marcelloc

@pfsensation:

@Marcelloc, I'm having problems with Regex for enforcing Youtube Restricted. Do you use this on your network? Anyone else here using it? It seemed to be working fine on 4.1, but on v5, that's stopped working. I've yet to pin down if its a change Youtube made on their end or if its E2G for sure.

The below is what I'm using for YouTube:

# Enforce restricted mode in YouTube
#
"(^https://www.youtube.com)"->"https://restrict.youtube.com"
"(^https://m.youtube.com)"->"https://restrict.youtube.com"
"(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com"
"(^https://youtube.googleapis.com)"->"https://restrict.youtube.com"
"(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com"
#

I did the test right now and it worked fine. I've setup this under acl -> site lists -> SSL Regex

the resulting file is unde /usr/local/etc/e2guardian/lists/sslsiteregexplist.g_your_group

Tested without transparent mode with ssl filter and ssl interception as well.

Safe search under Modify URL List is working too