Unofficial E2guardian package for pfSense
-
I have another question about bypass list in e2guardian.
Why is there some sites that even you put it in the exception list in the ACL, it still does not work or inaccessible that you need to put it to the bypass list.
Why is that? What is wrong with those sites ?
-
@ravegen said in Unofficial E2guardian package for pfSense:
I have another question about bypass list in e2guardian.
Why is there some sites that even you put it in the exception list in the ACL, it still does not work or inaccessible that you need to put it to the bypass list.
Why is that? What is wrong with those sites ?
What sites? How are you accessing those sites? What's the error log?
-
Some of our government sites. I am accessing them thru browsers and there is no error shown in the log.
-
@ravegen said in Unofficial E2guardian package for pfSense:
Some of our government sites. I am accessing them thru browsers and there is no error shown in the log.
Must be a config issue, if it's through a browser it should always work as long as the CA is installed. What about the real time access.log? What does that show?
-
@pfsensation said in Unofficial E2guardian package for pfSense:
@ravegen said in Unofficial E2guardian package for pfSense:
Some of our government sites. I am accessing them thru browsers and there is no error shown in the log.
Must be a config issue, if it's through a browser it should always work as long as the CA is installed. What about the real time access.log? What does that show?
what do you mean about config issue?
the real time log does not show any block on a particular site or url . -
@ravegen said in Unofficial E2guardian package for pfSense:
@pfsensation said in Unofficial E2guardian package for pfSense:
@ravegen said in Unofficial E2guardian package for pfSense:
Some of our government sites. I am accessing them thru browsers and there is no error shown in the log.
Must be a config issue, if it's through a browser it should always work as long as the CA is installed. What about the real time access.log? What does that show?
what do you mean about config issue?
the real time log does not show any block on a particular site or url .So you mean the sites that don't work for you, don't show up on the access log (real time log) at all? If E2 Guardian is blocking it, it will always show up on there. If it's not, your issue is definitely elsewhere.
But if possible provide those URL's so I can test from my side. As far as I'm aware, all sites should work through browser as long as your ACL allows it
-
@pfsensation said in Unofficial E2guardian package for pfSense:
@ravegen said in Unofficial E2guardian package for pfSense:
@pfsensation said in Unofficial E2guardian package for pfSense:
@ravegen said in Unofficial E2guardian package for pfSense:
Some of our government sites. I am accessing them thru browsers and there is no error shown in the log.
Must be a config issue, if it's through a browser it should always work as long as the CA is installed. What about the real time access.log? What does that show?
what do you mean about config issue?
the real time log does not show any block on a particular site or url .So you mean the sites that don't work for you, don't show up on the access log (real time log) at all? If E2 Guardian is blocking it, it will always show up on there. If it's not, your issue is definitely elsewhere.
But if possible provide those URL's so I can test from my side. As far as I'm aware, all sites should work through browser as long as your ACL allows it
Yes, the website doesnt load, doesnt show any e2guardian block error page, doesnt show any error on realtime access log.
But my user says that when she access the website on her house with her own internet connection, she can access the site without problem.
So what I just did was make an alias for it and put that on bypass and that solved the problem.
Although it solves the problem, I still want to know why it is not accessible with pfsense firewall but access from her house. I already checked the firewall rules and no rules particularly blocks such websites.
I have snort running but my snorts purpose is for blocking malwares and the snort block report does not show any ip address related to those sites that failed to load or had error loading.
I ONLY have firewall, e2guardian and snort running on my pfsense. I dont use pfblocker or any other.
I have do use googledns, cloudflaredns and opendns for my firewall dns where my lan and guest use.
-
@ravegen Have you ever tried enter the website that you try to access into the "Bypass for these destination" ips in E2guardian Daemon menu." field. If yes, that means something else blocks (maybe squid if there is). Let me know after you do that.
-
And nothing is showing up in snort?
Snort needs tweaking to work as you get a lot of false/positive alerts. -
Now that you've mentioned Snort, that could be it. It's known for over blocking until you tweak it.
When you bypass those URLs snort now sees them from coming from the LAN rather than loopback interface.
Either way, it's unlikely that it's E2 Guardian blocking the site if the user gets no block page, and nothing shows up on the access log.
-
@pfsensation said in Unofficial E2guardian package for pfSense:
@marcelloc I had a look, it looks like e2guardian isn't defined in /etc/inc/service-utils.inc. I attempted to manually define it but wasn't too sure of the parameters. Can you shed some light?
Were you able to fix this. I have had crashes at least twice daily and pfSense stops all internet even though its connected and has a valid WAN IP. Only fix is to reboot the box.
I shut down e2 and wpad till there is a permanent fix to this.
-
@pfsensation said in Unofficial E2guardian package for pfSense:
@marcelloc I had a look, it looks like e2guardian isn't defined in /etc/inc/service-utils.inc. I attempted to manually define it but wasn't too sure of the parameters. Can you shed some light?
@pfsensation is this resolve already? I will be deploying e2g tomorrow i dont want to have issue on pfsense crashing
-
@kenpachizaraki said in Unofficial E2guardian package for pfSense:
@pfsensation said in Unofficial E2guardian package for pfSense:
@marcelloc I had a look, it looks like e2guardian isn't defined in /etc/inc/service-utils.inc. I attempted to manually define it but wasn't too sure of the parameters. Can you shed some light?
@pfsensation is this resolve already? I will be deploying e2g tomorrow i dont want to have issue on pfsense crashing
On your production system, don't upgrade to 2.4.4 yet. I still haven't been able to resolve that log rotation issue. For me it just crashes E2 Guardian once a day and it restarts itself. Barely even notice it but nevertheless its still an issue.
Going to have to wait for @marcelloc to have a look at this. I tried some fixes but my knowledge of the inner workings of pfsense packages isn't great.
-
@pfsensation said in Unofficial E2guardian package for pfSense:
Now that you've mentioned Snort, that could be it. It's known for over blocking until you tweak it.
When you bypass those URLs snort now sees them from coming from the LAN rather than loopback interface.
Either way, it's unlikely that it's E2 Guardian blocking the site if the user gets no block page, and nothing shows up on the access log.
What do you mean tweak? What to tweak?
-
@ravegen said in Unofficial E2guardian package for pfSense:
@pfsensation said in Unofficial E2guardian package for pfSense:
Now that you've mentioned Snort, that could be it. It's known for over blocking until you tweak it.
When you bypass those URLs snort now sees them from coming from the LAN rather than loopback interface.
Either way, it's unlikely that it's E2 Guardian blocking the site if the user gets no block page, and nothing shows up on the access log.
What do you mean tweak? What to tweak?
Snort. Its unlikely that E2 Guardian is blocking anything here as you get nothing appearing on the log.
-
@pfsensation said in Unofficial E2guardian package for pfSense:
@ravegen said in Unofficial E2guardian package for pfSense:
@pfsensation said in Unofficial E2guardian package for pfSense:
Now that you've mentioned Snort, that could be it. It's known for over blocking until you tweak it.
When you bypass those URLs snort now sees them from coming from the LAN rather than loopback interface.
Either way, it's unlikely that it's E2 Guardian blocking the site if the user gets no block page, and nothing shows up on the access log.
What do you mean tweak? What to tweak?
Snort. Its unlikely that E2 Guardian is blocking anything here as you get nothing appearing on the log.
I have short knowledge of snort however I have configured it against malware and vpn and proxies pretty well but I am not sure what config do I need to tweak or config to check that made those problem i encountered.
-
Snort inspect http/https traffic thats why you will see (http_inspect) some kind of alert in your snort log. And if it get in the log without supressing the rule it blocks access depending of source/destination. This is called tweaking if you read about snort, (http_inspect) has no rules
-
@ravegen said in Unofficial E2guardian package for pfSense:
@pfsensation said in Unofficial E2guardian package for pfSense:
@ravegen said in Unofficial E2guardian package for pfSense:
@pfsensation said in Unofficial E2guardian package for pfSense:
Now that you've mentioned Snort, that could be it. It's known for over blocking until you tweak it.
When you bypass those URLs snort now sees them from coming from the LAN rather than loopback interface.
Either way, it's unlikely that it's E2 Guardian blocking the site if the user gets no block page, and nothing shows up on the access log.
What do you mean tweak? What to tweak?
Snort. Its unlikely that E2 Guardian is blocking anything here as you get nothing appearing on the log.
I have short knowledge of snort however I have configured it against malware and vpn and proxies pretty well but I am not sure what config do I need to tweak or config to check that made those problem i encountered.
Just do is all a favour, disable snort temporarily. Test if the sites work and you'll have your answer. But I'm telling you now, if it's e2guardian blocking it'll always show up on the log.
-
any kind hearted soul have pfsense 2.4.1 memstick ISO installer?
i haven't found any download for that specific version. can someone share it? :) -
@pfsensation said in Unofficial E2guardian package for pfSense:
@ravegen said in Unofficial E2guardian package for pfSense:
@pfsensation said in Unofficial E2guardian package for pfSense:
Now that you've mentioned Snort, that could be it. It's known for over blocking until you tweak it.
When you bypass those URLs snort now sees them from coming from the LAN rather than loopback interface.
Either way, it's unlikely that it's E2 Guardian blocking the site if the user gets no block page, and nothing shows up on the access log.
What do you mean tweak? What to tweak?
Snort. Its unlikely that E2 Guardian is blocking anything here as you get nothing appearing on the log.
If it is Snort causing the problem and or blocking the site / url, then I can also checked that on the block tab of Snort and check the IP address where it came from. But the Block Tab also shows nothing in Snort.