Unofficial E2guardian package for pfSense
-
How come we can't make SSL bump to work with Squid+SquidGuard, making it cripple SSL on google etc., but here it works fine?
With e2guardian you can do both (filter ssl and intercept ssl), just like bump all and splice all on squid. You do not need squidguard in any way while working with e2guardiand. It's a full replacement with an age of improvements. Squid is optional too as e2guardian v5 doesn't need a parent proxy.
Can this be made an official module already?
It still need some work before it.
-
@marcelloc yes, all I am saying is that whatever version and setting of Squid is on Pfsense so far - SSL peek and splice doesn't work. So either Alex Rousskov did a bad job, which I doubt, or Squid module for pfsense is junk
Is it e2guardian needs more work or the package?
-
Is it e2guardian needs more work or the package?
Yes, config files and acls has changed a lot between version 4 and 5. I did a working around for many files to release first v5 package.
-
E2guardian works, thank you
How come we can't make SSL bump to work with Squid+SquidGuard, making it cripple SSL on google etc., but here it works fine?
Can this be made an official module already?
SquidGuard is a broken piece of garbage. It's not even in the same league as E2guardian therefore it shouldn't be compared. Last time I used SquidGuard, it couldn't even generate the fake certs correctly therefore leading to browsers not trusting it correctly. And causing more pain than its worth. I did see that a few community members tried to update it somewhat but the code was so bad they ended up giving up.
I'm really just waiting for the pfSense team to deprecate it and remove it from their official repo. E2guardian is a much better, modern and now more stable filtering tool. And it has the proper ability to actually "look" inside a Web page to deem if it's safe or not. Basic URL blocking as you get with SquidGuard is no longer effective as new sites emerge everyday.
If you're looking for a modern and great filtering tool. I wholeheartedly recommend E2 Guardian. With tweaking and updated phraselists it has the ability to knock everything else out the water. This package is still a work in progress and Marcello has done a great job bringing it to pfSense. Certain kinks will need to be worked out over time, such as AV and whatnot and then hopefully one day we can see this on the official repo.
-
Is it e2guardian needs more work or the package?
Yes, config files and acls has changed a lot between version 4 and 5. I did a working around for many files to release first v5 package.
How is the progress coming along with those config files? I'm eagerly waiting to get my regex working again to enforce restricted mode for certain groups.
I am also planning on releasing some configs to speed up the setup process of E2guardian. Just waiting for you to get the package all up to date with v5 changes and my work to give me some more free time.
-
@Marcelloc, I'm having problems with Regex for enforcing Youtube Restricted. Do you use this on your network? Anyone else here using it? It seemed to be working fine on 4.1, but on v5, that's stopped working. I've yet to pin down if its a change Youtube made on their end or if its E2G for sure.
The below is what I'm using for YouTube:
# Enforce restricted mode in YouTube # "(^https://www.youtube.com)"->"https://restrict.youtube.com" "(^https://m.youtube.com)"->"https://restrict.youtube.com" "(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com" "(^https://youtube.googleapis.com)"->"https://restrict.youtube.com" "(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com" #
I did the test right now and it worked fine. I've setup this under acl -> site lists -> SSL Regex
the resulting file is unde /usr/local/etc/e2guardian/lists/sslsiteregexplist.g_your_group
Tested without transparent mode with ssl filter and ssl interception as well.
Safe search under Modify URL List is working too
-
@Marcelloc, I'm having problems with Regex for enforcing Youtube Restricted. Do you use this on your network? Anyone else here using it? It seemed to be working fine on 4.1, but on v5, that's stopped working. I've yet to pin down if its a change Youtube made on their end or if its E2G for sure.
The below is what I'm using for YouTube:
# Enforce restricted mode in YouTube # "(^https://www.youtube.com)"->"https://restrict.youtube.com" "(^https://m.youtube.com)"->"https://restrict.youtube.com" "(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com" "(^https://youtube.googleapis.com)"->"https://restrict.youtube.com" "(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com" #
I did the test right now and it worked fine. I've setup this under acl -> site lists -> SSL Regex
the resulting file is unde /usr/local/etc/e2guardian/lists/sslsiteregexplist.g_your_group
Tested without transparent mode with ssl filter and ssl interception as well.
Safe search under Modify URL List is working too
Strange, I've verified that the file exists and has the correct contents but it didn't seem to work for me. I've just tried to explicitly set the browser to use the proxy again. E2 Guardian is definitely intercepting the traffic as it is giving out the fake cert to YouTube. However, at least on the desktop version of YouTube, restricted mode isn't working. I'm only using the ssl regex, no modify URL. Also, if it helps, I've got YouTube restricted in a separate group for ease of use.
-
I'll test at home too with virtual machines.
-
I'll test at home too with virtual machines.
Awesome, let me know how it goes. I'm quite confident that I do have everything correctly configured networking wise, the VM I'm testing from is directly connected to my pfSense LAN switch. I've even tried testing from a few physical PC's but it shouldn't make a difference. I run my home virtualised now for ease of use.
While typing this, I've just tried to apply the policy to my mobile and it worked!! Strange, it seems that its not working with the desktop page anymore. I have even confirmed that the URLs I'm rewriting via E2 Guardian is up to date. We're definitely making slow but steady progress on getting to the bottom of this. I'd say that the problem is not E2guardian but it definitely was working on 4.1 although I tested while back.
-
Awesome, let me know how it goes.
It's working at home too. I have IP authentication enabled, site SSL REGEX and URL MODIFY for all search engines enabled.
Tested with ssl filter and with interception only.
-
Package version 5.0.1_4 includes main changes needed to v5 config changes but it still need more work until full config update.
There is new combo box under group definition to select group type.
Ldap integration for group alcs is fixed too.![group type.PNG](/public/imported_attachments/1/group type.PNG)
![group type.PNG_thumb](/public/imported_attachments/1/group type.PNG_thumb) -
Dear friends I have read 42 page feedback, would not it be better if more people test it if you have a quick start guide on this topic? If you make a short video, everyone does not have as much information as you
-
I have this screencast cast showing e2guardian options. It's in Portuguese but I think it will help you.
http://sys-squad.com/licao/259
-
Thank you
-
Hi Marcello,
E2Guardian need to be squid
not working alone
-
It works with and without squid. Check your config on GUI, select direct mode under daemon tab. Save and apply.
A good clue on what is going wrong is running daemon on console to see it's complaint.
E2guardian -QN -
Hi Marcello,
I ran the system and now I'm doing some tests. When I close the machine and open it, I get this error. services are all started
2. Responsibility is how to redirect https: sites to the block page.Mar 31 10:05:24 php-cgi rc.bootup: [E2guardian] Installed but not started. Not installing 'nat' rules.
Mar 31 10:05:24 kernel pflog0: promiscuous mode enabled
-
I have this screencast cast showing e2guardian options. It's in Portuguese but I think it will help you.
http://sys-squad.com/licao/259
It returns to http://sys-squad.com/login refardless of my understanding portuguese or not ;)
Not that i am not new/familar with e2guardian and dansguardian, but have used it on another firewall solution.
A question is that a long time a go when dansguardian still was maintained is ident on each client and different lists, is this possible today?
-
Awesome, let me know how it goes.
It's working at home too. I have IP authentication enabled, site SSL REGEX and URL MODIFY for all search engines enabled.
Tested with ssl filter and with interception only.
Hmm… Interesting. I have tried with the exact same settings but have been unable to get it working. However, keep in mind that I am using Squid as a upstream proxy. In 4.x I was able to just use SSL Regex and force a group of users onto Youtube Restricted mode. Do you have any idea what it could be? It seems weird. When I try from a mobile and go to m.youtube.com it works after sometime, however it can be bypassed by going incognito. There must be something that broke after the update, it's just not working as well as it used to.
Do you have any suggestions? @Marcelloc
-
A question is that a long time a go when dansguardian still was maintained is ident on each client and different lists, is this possible today?
Weak but possible. If you have control on what runs on client because protocol answers can be easily forged by most ident client.