Unofficial E2guardian package for pfSense
-
@Marcelloc, I'm having problems with Regex for enforcing Youtube Restricted. Do you use this on your network? Anyone else here using it? It seemed to be working fine on 4.1, but on v5, that's stopped working. I've yet to pin down if its a change Youtube made on their end or if its E2G for sure.
The below is what I'm using for YouTube:
# Enforce restricted mode in YouTube # "(^https://www.youtube.com)"->"https://restrict.youtube.com" "(^https://m.youtube.com)"->"https://restrict.youtube.com" "(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com" "(^https://youtube.googleapis.com)"->"https://restrict.youtube.com" "(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com" #
I did the test right now and it worked fine. I've setup this under acl -> site lists -> SSL Regex
the resulting file is unde /usr/local/etc/e2guardian/lists/sslsiteregexplist.g_your_group
Tested without transparent mode with ssl filter and ssl interception as well.
Safe search under Modify URL List is working too
Strange, I've verified that the file exists and has the correct contents but it didn't seem to work for me. I've just tried to explicitly set the browser to use the proxy again. E2 Guardian is definitely intercepting the traffic as it is giving out the fake cert to YouTube. However, at least on the desktop version of YouTube, restricted mode isn't working. I'm only using the ssl regex, no modify URL. Also, if it helps, I've got YouTube restricted in a separate group for ease of use.
-
I'll test at home too with virtual machines.
-
I'll test at home too with virtual machines.
Awesome, let me know how it goes. I'm quite confident that I do have everything correctly configured networking wise, the VM I'm testing from is directly connected to my pfSense LAN switch. I've even tried testing from a few physical PC's but it shouldn't make a difference. I run my home virtualised now for ease of use.
While typing this, I've just tried to apply the policy to my mobile and it worked!! Strange, it seems that its not working with the desktop page anymore. I have even confirmed that the URLs I'm rewriting via E2 Guardian is up to date. We're definitely making slow but steady progress on getting to the bottom of this. I'd say that the problem is not E2guardian but it definitely was working on 4.1 although I tested while back.
-
Awesome, let me know how it goes.
It's working at home too. I have IP authentication enabled, site SSL REGEX and URL MODIFY for all search engines enabled.
Tested with ssl filter and with interception only.
-
Package version 5.0.1_4 includes main changes needed to v5 config changes but it still need more work until full config update.
There is new combo box under group definition to select group type.
Ldap integration for group alcs is fixed too.![group type.PNG](/public/imported_attachments/1/group type.PNG)
![group type.PNG_thumb](/public/imported_attachments/1/group type.PNG_thumb) -
Dear friends I have read 42 page feedback, would not it be better if more people test it if you have a quick start guide on this topic? If you make a short video, everyone does not have as much information as you
-
I have this screencast cast showing e2guardian options. It's in Portuguese but I think it will help you.
http://sys-squad.com/licao/259
-
Thank you
-
Hi Marcello,
E2Guardian need to be squid
not working alone
-
It works with and without squid. Check your config on GUI, select direct mode under daemon tab. Save and apply.
A good clue on what is going wrong is running daemon on console to see it's complaint.
E2guardian -QN -
Hi Marcello,
I ran the system and now I'm doing some tests. When I close the machine and open it, I get this error. services are all started
2. Responsibility is how to redirect https: sites to the block page.Mar 31 10:05:24 php-cgi rc.bootup: [E2guardian] Installed but not started. Not installing 'nat' rules.
Mar 31 10:05:24 kernel pflog0: promiscuous mode enabled
-
I have this screencast cast showing e2guardian options. It's in Portuguese but I think it will help you.
http://sys-squad.com/licao/259
It returns to http://sys-squad.com/login refardless of my understanding portuguese or not ;)
Not that i am not new/familar with e2guardian and dansguardian, but have used it on another firewall solution.
A question is that a long time a go when dansguardian still was maintained is ident on each client and different lists, is this possible today?
-
Awesome, let me know how it goes.
It's working at home too. I have IP authentication enabled, site SSL REGEX and URL MODIFY for all search engines enabled.
Tested with ssl filter and with interception only.
Hmm… Interesting. I have tried with the exact same settings but have been unable to get it working. However, keep in mind that I am using Squid as a upstream proxy. In 4.x I was able to just use SSL Regex and force a group of users onto Youtube Restricted mode. Do you have any idea what it could be? It seems weird. When I try from a mobile and go to m.youtube.com it works after sometime, however it can be bypassed by going incognito. There must be something that broke after the update, it's just not working as well as it used to.
Do you have any suggestions? @Marcelloc
-
A question is that a long time a go when dansguardian still was maintained is ident on each client and different lists, is this possible today?
Weak but possible. If you have control on what runs on client because protocol answers can be easily forged by most ident client.
-
must be something that broke after the update, it's just not working as well as it used to.
Do you have any suggestions? @Marcelloc
Something that I see that changes test results are browsers cache. I guess you can reopen the ticket on e2guardian project to see what developers suggest.
-
http://sys-squad.com/licao/259
It returns to http://sys-squad.com/login refardless of my understanding portuguese or not ;)
The site asks for a register even for free screencasts. It could be translated by the browser or use Facebook or Goole authentication.
-
must be something that broke after the update, it's just not working as well as it used to.
Do you have any suggestions? @Marcelloc
Something that I see that changes test results are browsers cache. I guess you can reopen the ticket on e2guardian project to see what developers suggest.
Re-opened, let's see what they say. It's strange though, you managed to get it working. But I tried with both Chrome and IE, no joy. I even tried messing with setting up the proxy explicitly but it still doesn't work. Even though the client is getting the fake cert.
-
Try with clients on a specific group and on default group.
I'm seeing that some config works better out of default group.If you can, test unrestricted an deny all group mode to see if it's working fine.
-
Try with clients on a specific group and on default group.
I'm seeing that some config works better out of default group.If you can, test unrestricted an deny all group mode to see if it's working fine.
I'm testing Youtube restricted with a specific group, I can't enable the restricted mode on the default group as that would drive all the adults crazy. Anything other than cartoons, or kiddy videos will be blocked on Youtube xD
If it is working for you on the default group. It maybe a problem with the pfSense package and the v5 configuration updates. I have re-opened the issue on Github on the official repo. Let's see what Philip/Frederic come up with.
Thanks for all your hard work Marcello!
-
A question is that a long time a go when dansguardian still was maintained is ident on each client and different lists, is this possible today?
Weak but possible. If you have control on what runs on client because protocol answers can be easily forged by most ident client.
When i come home tomorrow i will enable e2guardian and see and upgrade pfsense too.