HAVP without Squid. Does not block anything



  • I have PFSense v1.2.3 running with a WAN, LAN and OPT interfaces. I have snort v2.8.6.1 installed and running fine. I am now trying to get HAVP installed without Squid.

    HAVP installed with no errors. I have updated the ClamAV databases and have configured HAVP as follows:

    HTTP Proxy page
        Enable - checked
        Proxy Mode - Transparent
        Proxy Interface(s) - LAN, OPT
        Proxy Port - 3125
        Block file if error scanning - checked
        Enable RAM disk - checked
        Scan max file size - 2500 K
        Scan Images - checked
        Scan media stream - checked
        Log and Syslog - checked

    The General page shows both the HTTP Antivirus proxy as well as the Antivirus Server as running. I can restart the Proxy just fine.

    Here is what is in the System Log when I restart the proxy service:

    
    Feb 18 07:50:54 	havp[20650]: Process ID: 20650
    Feb 18 07:50:54 	havp[20649]: --- All scanners initialized
    Feb 18 07:50:54 	havp[20649]: Clamd Socket Scanner passed EICAR virus test (Eicar-Test-Signature)
    Feb 18 07:50:54 	havp[20649]: --- Initializing Clamd Socket Scanner
    Feb 18 07:50:54 	havp[20649]: Use transparent proxy mode
    Feb 18 07:50:54 	havp[20649]: Running as user: havp, group: havp
    Feb 18 07:50:54 	havp[20649]: === Mandatory locking disabled! KEEPBACK settings not used!
    Feb 18 07:50:54 	havp[20649]: === Starting HAVP Version: 0.91
    
    

    My understanding of the Transparent mode is "all 'http' requests on interface(s) will be translated to the HAVP proxy server without any client(s) additional configuration necessary". So, I should be able to browse as usual from my computers on the LAN without configuring any special proxy settings on my browsers. Is this true?

    Now, when I launch a browser on my PC and browse to the EICAR test page, I am able to download the EICAR com and zip files just fine (The AV on my PC catches them after they are downloaded and deletes them). HAVP doesn't see them and nothing gets logged in the pfsense System Logs.

    What am I doing wrong? Please help me get HAVP working without Squid. Also, I would really like to not have to configure proxy settings on my PCs - mainly because I run many applications that don't have proxy settings and so, don't play nice with proxy servers.

    Thanks,
    MediocreFred.



  • What in /tmp/rules.debug section

    
    # havp proxy ifaces redirect
    
    


  • Thanks for the quick response. Here's the relevant section from /tmp/rules.debug:

    
    # havp proxy ifaces redirect
    rdr on em1 proto tcp from any to !(em1) port 80 -> lo0 port 3125
    rdr on em1 proto tcp from any to (em1) port 3125 -> lo0 port 3125
    rdr on em3 proto tcp from any to !(em3) port 80 -> lo0 port 3125
    rdr on em3 proto tcp from any to (em3) port 3125 -> lo0 port 3125
    
    

    There is also this related section:

    
    # havp proxy ifaces rules
    pass in quick on em1 proto tcp from any to !(em1) port 80 flags S/SA keep state
    pass in quick on em3 proto tcp from any to !(em3) port 80 flags S/SA keep state
    
    

    @dvserg:

    What in /tmp/rules.debug section

    
    # havp proxy ifaces redirect
    
    


  • Hm.. all right.
    If you interfaces not bridged - must work.

    File /var/log/havp/access.log contains last clients requests. Check pls what content in this file.



  • The access.log file is empty. I tried loading a few pages in my browser including the eicar page and initiated a download of the eicar after clearing my browser cache. Went back and looked at the access.log. Still Nothing.

    Please let me know where to look next.

    Thanks.

    @dvserg:

    Hm.. all right.
    If you interfaces not bridged - must work.

    File /var/log/havp/access.log contains last clients requests. Check pls what content in this file.



  • Pls setup proxy settings in you browser and test howto work this.



  • I have tried everything I can think of -
    1. Uninstalled and reinstalled havp from the UI.
    2. Used pkg_delete to delete havp, clamav and arj.
    3. Reinstalled havp using pkg_add using the following -
       ```
    pkg_add -r havp http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/havp.tbz

        This appears to install newer versions of havp, clamav and arj; however, I don't see any way to configure this using the PFSense UI. No idea what is involved in configuring this manually.
    4\. Reinstalled the havp from the pfsense package manager.
    5\. Changed the Proxy mode to "Standard". Set the port to "8080". On my PC, I set the proxy settings in Internet Explorer to the IP address of pfsense and port 8080\. Can't access the internet at all with this proxy setting.
    
    However, nothing gets logged in either /var/log/havp/access.log or /var/log/havp/havp.log
    
    What am I doing wrong? I would really like to get this working.
    
    Thanks.


  • Oddly I have always been able to download those files on my setup and nothing ever gets logged to the files in /var/log/havp but I know it does some good as I find quite a few of this type of message on the syslog server.

    havp[49826]: 172.31.225.226 GET 301 http://www.themoscowtimes.com/news/article/police-upgrade-web-site-ahead-of-reforms/431422.html 901+28129 VIRUS Clamd: Exploit.JS.CVE-2006-1359

    PLEASE DO NOT CHECK THAT URL UNLESS YOUR ANTI-VIRUS IS UP TO DATE.



  • hi, just following up if this was resolved…

    I just reinstalled pfsense (on a new box) and have run into the same exact situation.

    any hints or pointers are much appreciated.



  • just blew the box away and installed 2.0 RC1 and seeing the same behavior in this.



  • weird but rebooting the system after seems to make it work - maybe i just needed to 'rehash' from ssh…


Log in to reply