Unofficial E2guardian package for pfSense
-
@pfsensation thanks for the quick reply, appreciate it.
Below are the steps i followed.
- create schedule in pfsense
--- working_hours Mon - Sun / 9:00-17:59 - create ACL in e2g
--- schedule : working_hours
--- enable : check
--- Include : social_network domains
--- save
e2g Groups
--- site : working_hours
--- savee2g IPs
---- working_hours : 192.168.1.100
--- save
--- applye2g Realtime
** facebook.com 403 192.168.1.100 working_hours DENIED Blocked site: facebook.comResult success!
Another problem is,
how does e2g read the groups?
top to bottom? bottom to top?Scenario : I want to create another schedule "lunch_break" @ 12noon to 1pm
and allow facebook access during that time.
I created same steps as above and set IPs to "lunch_break", so one of the IPs belong in two IPs (one in working_hours and same ip in lunch_break)
e2g just sticks to "lunch_break" even after the hour ends (1PM)
it never go back to "working_hours" IPs and ACL groups.Scenario above can be achieve in e2g?
- create schedule in pfsense
-
@kenpachizaraki From top to bottom. E2guardian ACLs process from top to bottom.
-
@ucribrahim thanks.
How about the IPs? What would happen if same ip belong in both groups?
As my example post above
Working_hours : 192.168.1.100
Lunch_break : 192.168.1.100My assumption is it would go back to working_groups after 1pm? Since lunch_break is scheduled in my ACL and scheduler setting.
-
@kenpachizaraki Actually It's hard to say something before test it, because I don't know very well how to use E2guardian. I worked so many times with E2guardian but didn't test other menus. You need to test it which acl or group will be come first or what is gonna happen.)
I wrote a blog post about e2guardian in my web site, I'll share a video as soon as fast. After that I'll try to learn how to use other menus and then I'll write blog post how to use other menus in e2guardian. But first video after that i'll do that.
https://lifeoverlinux.com/how-to-block-http-and-https-websites-with-e2guardian/
-
@ucribrahim thanks for the guide post.
what I did now is simple solution since I only like to open facebook during lunch.
I created 2 schedule : AM_Working_Hours @ 9:00-12noon
and
PM_Working_Hours @ 1PM-6PM
Created 2 ACL AM_Working_Hours and PM_Working_Hours and assigned the schedule respectively.
selected "Social_media networks" to be blocked. As intended it block the websites during mentioned time.I only created 1 Group and selected both AM_Working_Hours and PM_Working_Hours.
When time set @ 12noon, social media sites are now accessible.
This is OK for me now as requirements had been achieve.
If you have a cleaner solution would great if you can share.
-
btw, squid is disabled in my setup.
im using e2g for the proxy.https://lifeoverlinux.com/how-to-block-http-and-https-websites-with-e2guardian/
You had mentioned in your forum that it can be bypassed?
that's why you add this line in your squid config.cache_peer 127.0.0.1 parent 8080 0 login=*:password always_direct deny all never_direct allow all
ill shoot some test later if it can be bypassed.
-
@ucribrahim after some testing using your code above on squid, and used proxy on web browser, i was able to access to access restricted sites.
Can you test further as i was not able to block sites using manual proxy. :(
These are my settings..
e2g
-
@kenpachizaraki Okay Could you please wait. I'll write you back.
-
@ucribrahim also im not installing the cert since e2g works fine without installing the cert (MITM).
-
@kenpachizaraki I tested the code which I add to squid config. I can still access restricted sites. :/ It didn't work at all.
But It was working, I tested a few times. Well, I'll try to use E2guardian itself, without Squid. Let's see if it's going to work stabil.
-
@ucribrahim ok let me know the progress i can run some test tomorrow.
-
@kenpachizaraki Sure, For now there is no problem, I tested a few hours. Tomorrow I'll install fresh pfsense to my hardware utm box and then I'll surf from the pfsense box and test it. I'll write the results back to you in a few days.
-
@ucribrahim can you post your working settings with squid+e2g running? ill test tomorrow...
-
@kenpachizaraki No actually I'll test E2guardian by itself. There will be no Squid.
-
@ucribrahim that would be great. Thanks in advance.
Also can someone check if proxy in google chrome webstore can be block? This is annoying since there are lots of google chrome proxy plugins that works even with MITM method. -
@kenpachizaraki Hi, Technically you can't block chrome web store. Let me tell you why. So, first of all, if you block "chrome.google.com" domain that you block directly google itself. You can't tell the e2guardian if e2guardian see "webstore" word, block the domain because the domain is under SSL. It means e2guardian can't see into the SSL traffic of an SSL domain.
"webstore" page under the encrypted traffic of an SSL domain which is "chrome.google.com", in the world no one can see the SSL traffic. (for now)
You can tell e2guardian to block "chrome.google.com" but if it blocks this domain that you can't access "google.com" :/
You can search how SSL works on google. It will help you to understand what I'm trying to say.
https://chrome.google.com/webstore/category/extensions
-
@kenpachizaraki With MITM you can block the web store but if you're doing this for a school or company with machines on a domain. Do it through GPO.
However with E2G you should be able to block chrome Web store. Remember E2G can do more powerful things than just rely on the URL. I haven't done it this way for a while so I can't give you exact instructions but it can be done.
-
@pfsensation If you do it without MITM, let us know please. Also if you do a test it would awesome. Thanks.
-
@pfsensation @ucribrahim sorry for the confusion here. Actually i dont want to block webstore url. What i want is to block those proxy plugins that you install in your chrome browser. There are lots of proxy plugins that when you install in chrome make you access ristricted sites.
I have done it in other paid UTM software where in we install the cert and inspect all 443 connections to block outgoing malformed proxy connection.
Yes it can be done via GPO bit it is tedious to add all those chrome proxy - a lot of them.
-
@kenpachizaraki You could block most of them by locking down outgoing ports (allowing only connections to E2 Guardian) and blocking the domains for proxies and VPN's through E2 Guardian.
Although this will block most of these proxies from working, SSL VPN's working over port 443 may still work. I don't believe E2 Guardian has a way of completely blocking them yet. As far as I'm aware, the way these "paid" firewalls use to block VPN's is they try to inspect the traffic. If its suspicious or it couldn't be successfully decrypted via MITM then it gets blocked.
If you want to avoid the Chrome GPO method of allowing extensions installations. Then you can also make the chrome extensions directory read only and block it that way.
The subject of blocking these VPNs working over 443 may need a bit more digging into though.