Unofficial E2guardian package for pfSense



  • @pfsensation If you do it without MITM, let us know please. Also if you do a test it would awesome. Thanks.



  • @pfsensation @ucribrahim sorry for the confusion here. Actually i dont want to block webstore url. What i want is to block those proxy plugins that you install in your chrome browser. There are lots of proxy plugins that when you install in chrome make you access ristricted sites.

    I have done it in other paid UTM software where in we install the cert and inspect all 443 connections to block outgoing malformed proxy connection.

    Yes it can be done via GPO bit it is tedious to add all those chrome proxy - a lot of them.



  • @kenpachizaraki You could block most of them by locking down outgoing ports (allowing only connections to E2 Guardian) and blocking the domains for proxies and VPN's through E2 Guardian.

    Although this will block most of these proxies from working, SSL VPN's working over port 443 may still work. I don't believe E2 Guardian has a way of completely blocking them yet. As far as I'm aware, the way these "paid" firewalls use to block VPN's is they try to inspect the traffic. If its suspicious or it couldn't be successfully decrypted via MITM then it gets blocked.

    If you want to avoid the Chrome GPO method of allowing extensions installations. Then you can also make the chrome extensions directory read only and block it that way.

    The subject of blocking these VPNs working over 443 may need a bit more digging into though.



  • @pfsensation yes outgoing ports can be block but most of them are using 443. So your legitimate 443 connections will also be blocked. They are really snicky little bastard to block using that method. Hopefully in the future e2g can find a way to block those traffic.



  • @kenpachizaraki Really? I did some testing a while back, when I blocked the VPN providers domain. It would mess up the vpn client to server negotiation and just fail to connect.

    But I do understand your frustrations, it's difficult to properly block these VPN's on 443. I'll bring this up to the E2guardian devs and see if there's anything that can be done to mitigate the risks. I do know some firewall solutions such as Smoothwall actually work pretty well, so it can be done but I'm pretty certain you'll probably get some false positives for sure.



  • @pfsensation if you know the vpn provider domain yes it can be easily block even using firewall.
    Can you try this one in your chrome browser
    https://chrome.google.com/webstore/detail/vpn-grab-a-proxy-free/epiohmjifijenpabfpggbphmjinbhgnn?hl=en

    Hard part of this is you need to check logs on what domain that proxy is connecting.



  • @pfsensation @marcelloc @ucribrahim is it possible for e2g maybe regex to get the wan ip address?
    if wan = to interface wan (whatismyipaddress) = Pass
    if wan != to interface wan (whatismyipaddress) = Block/Reject

    Since if someone uses proxy wan ip changes to the proxy being used.
    If this is possible then we can block those annoying proxy to bypass e2g or squid.



  • @kenpachizaraki I'll do some testing on this when I have some free time and can setup a virtual lab. At the moment I'm quite bogged down with work and life on general. But I have requested a a feature in E2guardian to detect and block VPN's.



  • @kenpachizaraki Although this can probably be done, passing or blocking due to the WAN IP hasn't been implemented into E2 Guardian. Not sure if this will be added or if its a good method even to block Internet access for those trying to bypass the firewall.



  • OMG no one replies. I guess my question is really hard.
    Or perhaps, no one would like to help.



  • @ravegen What is your question? Maybe I can answer your question or someone will.



  • @pfsensation @marcelloc
    filed bugs on e2guardian already
    https://github.com/e2guardian/e2guardian/issues/444

    maybe someone can verify this one.

    http and https://youtube is already blacked in e2guardian but when accessing using google chrome i can still access the site. But when using incognito mode, https://youtube is blocked.
    Is this caching? or any settings i need to enable?

    alt text



  • @kenpachizaraki It is just cache, google chrome has strong caching. Just clear cache of your browser and try again.

    If you still goes restricted domain, try to kill your client states on pfsense and also clear cache again of your browser. ( command : pfctl -k 192.168.1.1 )

    Also It is not a bug at all.



  • @ucribrahim ok if its cache how long will it retain?
    Ive tested for several hours and still youtube is accessible even clicking on different videos



  • @kenpachizaraki I don't know, search on google how google cache works.



  • @ravegen said in Unofficial E2guardian package for pfSense:

    @pfsensation said in Unofficial E2guardian package for pfSense:

    @genesislubrigas There's no need for you to use Squid with E2 Guardian. You can still get stats with Light squid.

    How do you get stats with Light squid ? Can you kindly assist. Thanks

    this was my question



  • This post is deleted!


  • @ravegen

    Hi,

    I did some test on how to work Lightsquid with E2guadian. First, Install Lightsquid package and then use the following command.

    fetch -o /usr/local/pkg/lightsquid.inc http://e-sac.siteseguro.ws/lightsquid/inc.txt
    

    After that reboot your pfsense.

    Go to Services > E2guardian > Report and Log, and under this menu, there is an option which is "Log File Format". Choose "Squid Log Format" and then save the settings.

    After you do that go to Status > Squid Proxy Reports and then click "Refresh Full" button, after that, you'll need to see logs on the Lightsquid page which by clicking the "Open Lightsquid" button.

    I was able to work the lightsquid service by changing "Log File Format > Squid Log Format" but it is gonna work with default option which of e2g log file format. 🤔

    It is also so strange for example if you go to Daemon menu and at the bottom if you click Save button and then Save Changes button. E2g will be broken and only it is gonna work if you restart your pfsense. So guys do not do that so many times :)



  • @ucribrahim said in Unofficial E2guardian package for pfSense:

    @ravegen

    Hi,

    I did some test on how to work Lightsquid with E2guadian. First, Install Lightsquid package and then use the following command.

    fetch -o /usr/local/pkg/lightsquid.inc http://e-sac.siteseguro.ws/lightsquid/inc.txt
    

    After that reboot your pfsense.

    Go to Services > E2guardian > Report and Log, and under this menu, there is an option which is "Log File Format". Choose "Squid Log Format" and then save the settings.

    After you do that go to Status > Squid Proxy Reports and then click "Refresh Full" button, after that, you'll need to see logs on the Lightsquid page which by clicking the "Open Lightsquid" button.

    I was able to work the lightsquid service by changing "Log File Format > Squid Log Format" but it is gonna work with default option which of e2g log file format. 🤔

    It is also so strange for example if you go to Daemon menu and at the bottom if you click Save button and then Save Changes button. E2g will be broken and only it is gonna work if you restart your pfsense. So guys do not do that so many times :)

    So it means it gets broken



  • @ucribrahim What gets broken? I've had this up and running for a while now with no issues, and didn't even need a restart.

    Set E2 Guardian reporting to Squid format, install light squid, run the command. And just wait for the logs to come through. I didn't have to do anything else.



  • @ravegen said in Unofficial E2guardian package for pfSense:

    E2g will be broken and only it is gonna work if you restart your pfsense.

    @pfsensation i think because you said this one.



  • I made lightsquid working with e2guardian now. the problem now is the realtime does not show any feeds anymore.



  • @ravegen I'm not saying that if you use Lightsquid with E2guardian it gets broken. Nooo! I'm saying that if you go to Daemon menu and click Save settings so many times at the same time. It will get broken and it is gonna work until you restart pfsense. I don't know it just me or someone knows that.

    Maybe I'm wrong but this is my experience about e2guardian.

    NOTE: There is no problem, using Lightsquid with E2guardian. @pfsensation said go to do that "Set E2 Guardian reporting to Squid format, install light squid, run the command. And just wait for the logs to come through. I didn't have to do anything else."

    Of course use the following command and then restart pfsense after that go to do necessary settings.

    fetch -o /usr/local/pkg/lightsquid.inc http://e-sac.siteseguro.ws/lightsquid/inc.txt



  • @kenpachizaraki
    try blocking the domains below

    youtube.com
    googlevideo.com
    ytimg.com



  • @susamlicubuk i fixed it already by blocking googlevideo.com.
    i'll try to add your comments also "ytimg.com" later.
    youtube can still be access due to google chrome cache but videos wont' load anymore :D

    the only thing that bothers me are the google chrome proxy plugins that bypass e2g :(
    ill find try to find some way later.



  • @kenpachizaraki said in Unofficial E2guardian package for pfSense:

    @susamlicubuk i fixed it already by blocking googlevideo.com.
    i'll try to add your comments also "ytimg.com" later.
    youtube can still be access due to google chrome cache but videos wont' load anymore :D

    the only thing that bothers me are the google chrome proxy plugins that bypass e2g :(
    ill find try to find some way later.

    I was able to test my little bit
    With mitm, the VPNs are stopping. (I installed the certificate to the clients)
    If there is no mitm I run pfense with lan net to pfsense pass (with required ports 80,443,53,8080,8081).
    it is still useful to look at the domain names of some VPNs from the logs and to block them.
    perhaps it may work if the proxy list is created in the domain list acl.
    there are too many domains and ip addresses. shalla list is very inadequate.
    Another solution is snort to openappid or pfblocker.



  • @susamlicubuk im not using MITM to block https
    i can see which domain proxy are going but there are lot of them.
    you may try to install this one google chrome
    https://chrome.google.com/webstore/detail/vpn-grab-a-proxy-free/epiohmjifijenpabfpggbphmjinbhgnn

    It can bypass e2g even with MITM, though it can be block using domain it connects to.
    But if there are hundreds of these application/plugin in chrome then it will take most of your time chasing the domains :)



  • @kenpachizaraki said in Unofficial E2guardian package for pfSense:

    @susamlicubuk im not using MITM to block https
    i can see which domain proxy are going but there are lot of them.
    you may try to install this one google chrome
    https://chrome.google.com/webstore/detail/vpn-grab-a-proxy-free/epiohmjifijenpabfpggbphmjinbhgnn

    It can bypass e2g even with MITM, though it can be block using domain it connects to.
    But if there are hundreds of these application/plugin in chrome then it will take most of your time chasing the domains :)

    can already block vpngrab
    No need to use mitm
    look at domain names from realtime logs and block them



  • @ucribrahim said in Unofficial E2guardian package for pfSense:

    @ravegen I'm not saying that if you use Lightsquid with E2guardian it gets broken. Nooo! I'm saying that if you go to Daemon menu and click Save settings so many times at the same time. It will get broken and it is gonna work until you restart pfsense. I don't know it just me or someone knows that.

    Maybe I'm wrong but this is my experience about e2guardian.

    NOTE: There is no problem, using Lightsquid with E2guardian. @pfsensation said go to do that "Set E2 Guardian reporting to Squid format, install light squid, run the command. And just wait for the logs to come through. I didn't have to do anything else."

    Of course use the following command and then restart pfsense after that go to do necessary settings.

    fetch -o /usr/local/pkg/lightsquid.inc http://e-sac.siteseguro.ws/lightsquid/inc.txt

    You don't need to restart pfsense. What happens is sometimes multiple threads or processes of E2 Guardian can be started. Although this is barely an issue anymore, and most of the bugs have been squashed.

    Instead of restart you can run "top" get the process ID of E2 Guardian processes, then type "kill" followed by the process ID to completely kill E2 Guardian processes. Then you can go back to the GUI, press the save then start. And it'll work as normal.

    But this is only happens nowadays in extreme cases when you're spamming buttons...



  • @susamlicubuk yes as i said it can be block using domains easily but what if there are hundreds of those proxy? You have to test install them one by one and check on logs...waste of time to do that.
    We are only checking only chrome what about firefox? And those proxy that is set manually? Thousand of them....

    If we can find ways to blocked them dynamically e2g would be superior...



  • Guys let's be reasonable here. Blocking VPN's is not a simple thing anymore. Especially now when they can work over port 80/443 which you cannot block.

    Furthermore, E2 Guardian, even if it does implement a way to block VPN's going through the proxy. It'll be far from the end all and be all solution. We might even need a mixture of a Deep Packet Inspection system, good black list and E2 Guardian detecting VPN user agents and being able to recognise VPN traffic from everything else.

    Hold tight guys... In terms of Chrome, I'm sure there was a way to block ALL extensions from being installed through GPO. Give it a Google search and see what comes up!



  • @marcelloc Sua solução é excelente, apliquei hoje e resolveu uma situação que estava me causando dores de cabeça.



  • @pfsensation yes i agree. Even in paid solutions the way they block it was using mitm. Which now is the only way i can think.

    Ir can be achieve using gpo by blocking the installation of the proxy.

    Anyway it is an endless development, always.
    And a big thanks to e2g and @marcelloc and everyone who contribute. Kodus guys....



  • @pfsensation just a question maybe you should know or someone here.
    E2g v5 can be use in direct mode but still it requires squid (installed and running but disabled). I tried to stop squid in service and e2g stop functioning even in direct mode. Thus it mean somehow you need squid running on background?



  • @pfsensation said in Unofficial E2guardian package for pfSense:

    @ucribrahim said in Unofficial E2guardian package for pfSense:

    @ravegen I'm not saying that if you use Lightsquid with E2guardian it gets broken. Nooo! I'm saying that if you go to Daemon menu and click Save settings so many times at the same time. It will get broken and it is gonna work until you restart pfsense. I don't know it just me or someone knows that.

    Maybe I'm wrong but this is my experience about e2guardian.

    NOTE: There is no problem, using Lightsquid with E2guardian. @pfsensation said go to do that "Set E2 Guardian reporting to Squid format, install light squid, run the command. And just wait for the logs to come through. I didn't have to do anything else."

    Of course use the following command and then restart pfsense after that go to do necessary settings.

    fetch -o /usr/local/pkg/lightsquid.inc http://e-sac.siteseguro.ws/lightsquid/inc.txt

    You don't need to restart pfsense. What happens is sometimes multiple threads or processes of E2 Guardian can be started. Although this is barely an issue anymore, and most of the bugs have been squashed.

    Instead of restart you can run "top" get the process ID of E2 Guardian processes, then type "kill" followed by the process ID to completely kill E2 Guardian processes. Then you can go back to the GUI, press the save then start. And it'll work as normal.

    But this is only happens nowadays in extreme cases when you're spamming buttons...

    I solved this. Now there is no realtime status on realtime tab.



  • @kenpachizaraki No squid isn't required at all. I'm running it on my box and I've completely removed squid.

    What happens when you remove squid, does E2 Guardian just not start up?

    E2 Guardian is an open source project, I urge everyone to contribute if they can. I've contributed a lot to it and have hit road blocks due to translations and as such. Therefore even if you can help out with translations and updating them. That helps too!



  • @genesislubrigas said in Unofficial E2guardian package for pfSense:

    @pfsensation said in Unofficial E2guardian package for pfSense:

    @ucribrahim said in Unofficial E2guardian package for pfSense:

    @ravegen I'm not saying that if you use Lightsquid with E2guardian it gets broken. Nooo! I'm saying that if you go to Daemon menu and click Save settings so many times at the same time. It will get broken and it is gonna work until you restart pfsense. I don't know it just me or someone knows that.

    Maybe I'm wrong but this is my experience about e2guardian.

    NOTE: There is no problem, using Lightsquid with E2guardian. @pfsensation said go to do that "Set E2 Guardian reporting to Squid format, install light squid, run the command. And just wait for the logs to come through. I didn't have to do anything else."

    Of course use the following command and then restart pfsense after that go to do necessary settings.

    fetch -o /usr/local/pkg/lightsquid.inc http://e-sac.siteseguro.ws/lightsquid/inc.txt

    You don't need to restart pfsense. What happens is sometimes multiple threads or processes of E2 Guardian can be started. Although this is barely an issue anymore, and most of the bugs have been squashed.

    Instead of restart you can run "top" get the process ID of E2 Guardian processes, then type "kill" followed by the process ID to completely kill E2 Guardian processes. Then you can go back to the GUI, press the save then start. And it'll work as normal.

    But this is only happens nowadays in extreme cases when you're spamming buttons...

    I solved this. Now there is no realtime status on realtime tab.

    Do me a favour, log into the pfsense GUI. Then press on the diagnostics tab > edit a file. Go over to: var/log/e2guardian and open up access.log.

    Let me know what you can see in there



  • @pfsensation said in Unofficial E2guardian package for pfSense:

    @genesislubrigas said in Unofficial E2guardian package for pfSense:

    @pfsensation said in Unofficial E2guardian package for pfSense:

    @ucribrahim said in Unofficial E2guardian package for pfSense:

    @ravegen I'm not saying that if you use Lightsquid with E2guardian it gets broken. Nooo! I'm saying that if you go to Daemon menu and click Save settings so many times at the same time. It will get broken and it is gonna work until you restart pfsense. I don't know it just me or someone knows that.

    Maybe I'm wrong but this is my experience about e2guardian.

    NOTE: There is no problem, using Lightsquid with E2guardian. @pfsensation said go to do that "Set E2 Guardian reporting to Squid format, install light squid, run the command. And just wait for the logs to come through. I didn't have to do anything else."

    Of course use the following command and then restart pfsense after that go to do necessary settings.

    fetch -o /usr/local/pkg/lightsquid.inc http://e-sac.siteseguro.ws/lightsquid/inc.txt

    You don't need to restart pfsense. What happens is sometimes multiple threads or processes of E2 Guardian can be started. Although this is barely an issue anymore, and most of the bugs have been squashed.

    Instead of restart you can run "top" get the process ID of E2 Guardian processes, then type "kill" followed by the process ID to completely kill E2 Guardian processes. Then you can go back to the GUI, press the save then start. And it'll work as normal.

    But this is only happens nowadays in extreme cases when you're spamming buttons...

    I solved this. Now there is no realtime status on realtime tab.

    Do me a favour, log into the pfsense GUI. Then press on the diagnostics tab > edit a file. Go over to: var/log/e2guardian and open up access.log.

    Let me know what you can see in there

    yes it is there



  • Marcelloc,

    Can we request the realtime report separately can also be accessed outside the e2guardian gui so that other users can access it for viewing purposes like lightsquid proxy reports.



  • @ravegen E2 Guardian is spitting out log files, you can make a script to parse those however you like then host on a Web server.

    But why would you need this feature? I understand that in a school for example you may want to see what a certain user has been visiting. But if it's for the users themselves to see what sites they've been visiting. Just use the browsers history option lol


Log in to reply