Unofficial E2guardian package for pfSense

marcelloc

@pfsensation:

Awesome, let me know how it goes.

It's working at home too. I have IP authentication enabled, site SSL REGEX and URL MODIFY for all search engines enabled.

Tested with ssl filter and with interception only.

marcelloc

Package version 5.0.1_4 includes main changes needed to v5 config changes but it still need more work until full config update.

There is new combo box under group definition to select group type.
Ldap integration for group alcs is fixed too.


landforces

Dear friends I have read 42 page feedback, would not it be better if more people test it if you have a quick start guide on this topic? If you make a short video, everyone does not have as much information as you

marcelloc

I have this screencast cast showing e2guardian options. It's in Portuguese but I think it will help you.

http://sys-squad.com/licao/259

landforces

Thank you

landforces

Hi Marcello,

E2Guardian need to be squid
not working alone

marcelloc

It works with and without squid. Check your config on GUI, select direct mode under daemon tab. Save and apply.

A good clue on what is going wrong is running daemon on console to see it's complaint.
E2guardian -QN

landforces

Hi Marcello,
I ran the system and now I'm doing some tests. When I close the machine and open it, I get this error. services are all started
2. Responsibility is how to redirect https: sites to the block page.

Mar 31 10:05:24 php-cgi rc.bootup: [E2guardian] Installed but not started. Not installing 'nat' rules.
Mar 31 10:05:24 kernel pflog0: promiscuous mode enabled

lindsay

@marcelloc:

I have this screencast cast showing e2guardian options. It's in Portuguese but I think it will help you.

http://sys-squad.com/licao/259

It returns to  http://sys-squad.com/login refardless of my understanding portuguese or not ;)

Not that i am not new/familar with e2guardian and dansguardian, but have used it on another firewall solution.

A question is that a long time a go when dansguardian still was maintained is ident on each client and different lists, is this possible today?

pfsensation

@marcelloc:

@pfsensation:

Awesome, let me know how it goes.

It's working at home too. I have IP authentication enabled, site SSL REGEX and URL MODIFY for all search engines enabled.

Tested with ssl filter and with interception only.

Hmm… Interesting. I have tried with the exact same settings but have been unable to get it working. However, keep in mind that I am using Squid as a upstream proxy. In 4.x I was able to just use SSL Regex and force a group of users onto Youtube Restricted mode. Do you have any idea what it could be? It seems weird. When I try from a mobile and go to m.youtube.com it works after sometime, however it can be bypassed by going incognito. There must be something that broke after the update, it's just not working as well as it used to.

Do you have any suggestions? @Marcelloc

marcelloc

@lindsay:

A question is that a long time a go when dansguardian still was maintained is ident on each client and different lists, is this possible today?

Weak but possible. If you have control on what runs on client because protocol answers can be easily forged by most ident client.

marcelloc

@pfsensation:

must be something that broke after the update, it's just not working as well as it used to.

Do you have any suggestions? @Marcelloc

Something that I see that changes test results are browsers cache. I guess you can reopen the ticket on e2guardian project to see what developers suggest.

marcelloc

@lindsay:

http://sys-squad.com/licao/259

It returns to  http://sys-squad.com/login refardless of my understanding portuguese or not ;)

The site asks for a register even for free screencasts. It could be translated by the browser or use Facebook or Goole authentication.

pfsensation

@marcelloc:

@pfsensation:

must be something that broke after the update, it's just not working as well as it used to.

Do you have any suggestions? @Marcelloc

Something that I see that changes test results are browsers cache. I guess you can reopen the ticket on e2guardian project to see what developers suggest.

Re-opened, let's see what they say. It's strange though, you managed to get it working. But I tried with both Chrome and IE, no joy. I even tried messing with setting up the proxy explicitly but it still doesn't work. Even though the client is getting the fake cert.

marcelloc

Try with clients on a specific group and on default group.
I'm seeing that some config works better out of default group.

If you can, test unrestricted an deny all group mode to see if it's working fine.

pfsensation

@marcelloc:

Try with clients on a specific group and on default group.
I'm seeing that some config works better out of default group.

If you can, test unrestricted an deny all group mode to see if it's working fine.

I'm testing Youtube restricted with a specific group, I can't enable the restricted mode on the default group as that would drive all the adults crazy. Anything other than cartoons, or kiddy videos will be blocked on Youtube xD

If it is working for you on the default group. It maybe a problem with the pfSense package and the v5 configuration updates. I have re-opened the issue on Github on the official repo. Let's see what Philip/Frederic come up with.

Thanks for all your hard work Marcello!

lindsay

@marcelloc:

@lindsay:

A question is that a long time a go when dansguardian still was maintained is ident on each client and different lists, is this possible today?

Weak but possible. If you have control on what runs on client because protocol answers can be easily forged by most ident client.

When i come home tomorrow i will enable e2guardian and see and upgrade pfsense too.

marcelloc

@pfsensation:

I'm testing Youtube restricted with a specific group, I can't enable the restricted mode on the default group as that would drive all the adults crazy. Anything other than cartoons, or kiddy videos will be blocked on Youtube xD

Try adding all your network cidr on a group different from default. IIRC, this was one of the tests I did.

pfsensation

@marcelloc:

@pfsensation:

I'm testing Youtube restricted with a specific group, I can't enable the restricted mode on the default group as that would drive all the adults crazy. Anything other than cartoons, or kiddy videos will be blocked on Youtube xD

Try adding all your network cidr on a group different from default. IIRC, this was one of the tests I did.

Just tried this, unfortunately still no joy on the Desktop. Weird… I have tried multiple machines / VM's, none of them went to restricted mode. I don't know what would be the best way to log if the cname rewriting is working, I guess that would help.

pfsensation

@lindsay:

@marcelloc:

@lindsay:

A question is that a long time a go when dansguardian still was maintained is ident on each client and different lists, is this possible today?

Weak but possible. If you have control on what runs on client because protocol answers can be easily forged by most ident client.

When i come home tomorrow i will enable e2guardian and see and upgrade pfsense too.

Go for it, I upgraded today to 2.4.3, had to re-install E2 Guardian after the update, but since then it's been running without any major hiccups.