Unofficial E2guardian package for pfSense

marcelloc

@susamlicubuk:

I think the config xml is broken when it restarts
or embedded squid does not start
works with save and applly
service watchdog does not solve the problem
Is there a custom configuration?
Could you please look into this problem

Except if you need custom squid configuration on this parent daemon, select direct mode on e2guardian config.

susamlicubuk

Parent mode: direct connect selected
pfsense restarting filtering is not working
I click on save and apply
working

lavd

E2guardian works, thank you

How come we can't make SSL bump to work with Squid+SquidGuard, making it cripple SSL on google etc., but here it works fine?

Can this be made an official module already?

marcelloc

@lavd:

How come we can't make SSL bump to work with Squid+SquidGuard, making it cripple SSL on google etc., but here it works fine?

With e2guardian you can do both (filter ssl and intercept ssl), just like bump all and splice all on squid. You do not need squidguard in any way while working with e2guardiand. It's a full replacement with an age of improvements. Squid is optional too as e2guardian v5 doesn't need a parent proxy.

@lavd:

Can this be made an official module already?

It still need some work before it.

lavd

@marcelloc yes, all I am saying is that whatever version and setting of Squid is on Pfsense so far - SSL peek and splice doesn't work. So either Alex Rousskov did a bad job, which I doubt, or Squid module for pfsense is junk

Is it e2guardian needs more work or the package?

marcelloc

@lavd:

Is it e2guardian needs more work or the package?

Yes, config files and acls has changed a lot between version 4 and 5. I did a working around for many files to release first v5 package.

pfsensation

@lavd:

E2guardian works, thank you

How come we can't make SSL bump to work with Squid+SquidGuard, making it cripple SSL on google etc., but here it works fine?

Can this be made an official module already?

SquidGuard is a broken piece of garbage. It's not even in the same league as E2guardian therefore it shouldn't be compared. Last time I used SquidGuard, it couldn't even generate the fake certs correctly therefore leading to browsers not trusting it correctly. And causing more pain than its worth. I did see that a few community members tried to update it somewhat but the code was so bad they ended up giving up.

I'm really just waiting for the pfSense team to deprecate it and remove it from their official repo. E2guardian is a much better, modern and now more stable filtering tool. And it has the proper ability to actually "look" inside a Web page to deem if it's safe or not. Basic URL blocking as you get with SquidGuard is no longer effective as new sites emerge everyday.

If you're looking for a modern and great filtering tool. I wholeheartedly recommend E2 Guardian. With tweaking and updated phraselists it has the ability to knock everything else out the water. This package is still a work in progress and Marcello has done a great job bringing it to pfSense. Certain kinks will need to be worked out over time, such as AV and whatnot and then hopefully one day we can see this on the official repo.

pfsensation

@marcelloc:

@lavd:

Is it e2guardian needs more work or the package?

Yes, config files and acls has changed a lot between version 4 and 5. I did a working around for many files to release first v5 package.

How is the progress coming along with those config files? I'm eagerly waiting to get my regex working again to enforce restricted mode for certain groups.

I am also planning on releasing some configs to speed up the setup process of E2guardian. Just waiting for you to get the package all up to date with v5 changes and my work to give me some more free time.

marcelloc

@pfsensation:

@Marcelloc, I'm having problems with Regex for enforcing Youtube Restricted. Do you use this on your network? Anyone else here using it? It seemed to be working fine on 4.1, but on v5, that's stopped working. I've yet to pin down if its a change Youtube made on their end or if its E2G for sure.

The below is what I'm using for YouTube:

# Enforce restricted mode in YouTube
#
"(^https://www.youtube.com)"->"https://restrict.youtube.com"
"(^https://m.youtube.com)"->"https://restrict.youtube.com"
"(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com"
"(^https://youtube.googleapis.com)"->"https://restrict.youtube.com"
"(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com"
#

I did the test right now and it worked fine. I've setup this under acl -> site lists -> SSL Regex

the resulting file is unde /usr/local/etc/e2guardian/lists/sslsiteregexplist.g_your_group

Tested without transparent mode with ssl filter and ssl interception as well.

Safe search under Modify URL List is working too

pfsensation

@marcelloc:

@pfsensation:

@Marcelloc, I'm having problems with Regex for enforcing Youtube Restricted. Do you use this on your network? Anyone else here using it? It seemed to be working fine on 4.1, but on v5, that's stopped working. I've yet to pin down if its a change Youtube made on their end or if its E2G for sure.

The below is what I'm using for YouTube:

# Enforce restricted mode in YouTube
#
"(^https://www.youtube.com)"->"https://restrict.youtube.com"
"(^https://m.youtube.com)"->"https://restrict.youtube.com"
"(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com"
"(^https://youtube.googleapis.com)"->"https://restrict.youtube.com"
"(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com"
#

I did the test right now and it worked fine. I've setup this under acl -> site lists -> SSL Regex

the resulting file is unde /usr/local/etc/e2guardian/lists/sslsiteregexplist.g_your_group

Tested without transparent mode with ssl filter and ssl interception as well.

Safe search under Modify URL List is working too

Strange, I've verified that the file exists and has the correct contents but it didn't seem to work for me. I've just tried to explicitly set the browser to use the proxy again. E2 Guardian is definitely intercepting the traffic as it is giving out the fake cert to YouTube. However, at least on the desktop version of YouTube, restricted mode isn't working. I'm only using the ssl regex, no modify URL. Also, if it helps, I've got YouTube restricted in a separate group for ease of use.

marcelloc

I'll test at home too with virtual machines.

pfsensation

@marcelloc:

I'll test at home too with virtual machines.

Awesome, let me know how it goes. I'm quite confident that I do have everything correctly configured networking wise,  the VM I'm testing from is directly connected to my pfSense LAN switch. I've even tried testing from a few physical PC's but it shouldn't make a difference. I run my home virtualised now for ease of use.

While typing this, I've just tried to apply the policy to my mobile and it worked!! Strange, it seems that its not working with the desktop page anymore. I have even confirmed that the URLs I'm rewriting via E2 Guardian is up to date. We're definitely making slow but steady progress on getting to the bottom of this. I'd say that the problem is not E2guardian but it definitely was working on 4.1 although I tested  while back.

marcelloc

@pfsensation:

Awesome, let me know how it goes.

It's working at home too. I have IP authentication enabled, site SSL REGEX and URL MODIFY for all search engines enabled.

Tested with ssl filter and with interception only.

marcelloc

Package version 5.0.1_4 includes main changes needed to v5 config changes but it still need more work until full config update.

There is new combo box under group definition to select group type.
Ldap integration for group alcs is fixed too.


landforces

Dear friends I have read 42 page feedback, would not it be better if more people test it if you have a quick start guide on this topic? If you make a short video, everyone does not have as much information as you

marcelloc

I have this screencast cast showing e2guardian options. It's in Portuguese but I think it will help you.

http://sys-squad.com/licao/259

landforces

Thank you

landforces

Hi Marcello,

E2Guardian need to be squid
not working alone

marcelloc

It works with and without squid. Check your config on GUI, select direct mode under daemon tab. Save and apply.

A good clue on what is going wrong is running daemon on console to see it's complaint.
E2guardian -QN

landforces

Hi Marcello,
I ran the system and now I'm doing some tests. When I close the machine and open it, I get this error. services are all started
2. Responsibility is how to redirect https: sites to the block page.

Mar 31 10:05:24 php-cgi rc.bootup: [E2guardian] Installed but not started. Not installing 'nat' rules.
Mar 31 10:05:24 kernel pflog0: promiscuous mode enabled