HAVP without Squid. Does not block anything
-
I have PFSense v1.2.3 running with a WAN, LAN and OPT interfaces. I have snort v2.8.6.1 installed and running fine. I am now trying to get HAVP installed without Squid.
HAVP installed with no errors. I have updated the ClamAV databases and have configured HAVP as follows:
HTTP Proxy page
Enable - checked
Proxy Mode - Transparent
Proxy Interface(s) - LAN, OPT
Proxy Port - 3125
Block file if error scanning - checked
Enable RAM disk - checked
Scan max file size - 2500 K
Scan Images - checked
Scan media stream - checked
Log and Syslog - checkedThe General page shows both the HTTP Antivirus proxy as well as the Antivirus Server as running. I can restart the Proxy just fine.
Here is what is in the System Log when I restart the proxy service:
Feb 18 07:50:54 havp[20650]: Process ID: 20650 Feb 18 07:50:54 havp[20649]: --- All scanners initialized Feb 18 07:50:54 havp[20649]: Clamd Socket Scanner passed EICAR virus test (Eicar-Test-Signature) Feb 18 07:50:54 havp[20649]: --- Initializing Clamd Socket Scanner Feb 18 07:50:54 havp[20649]: Use transparent proxy mode Feb 18 07:50:54 havp[20649]: Running as user: havp, group: havp Feb 18 07:50:54 havp[20649]: === Mandatory locking disabled! KEEPBACK settings not used! Feb 18 07:50:54 havp[20649]: === Starting HAVP Version: 0.91
My understanding of the Transparent mode is "all 'http' requests on interface(s) will be translated to the HAVP proxy server without any client(s) additional configuration necessary". So, I should be able to browse as usual from my computers on the LAN without configuring any special proxy settings on my browsers. Is this true?
Now, when I launch a browser on my PC and browse to the EICAR test page, I am able to download the EICAR com and zip files just fine (The AV on my PC catches them after they are downloaded and deletes them). HAVP doesn't see them and nothing gets logged in the pfsense System Logs.
What am I doing wrong? Please help me get HAVP working without Squid. Also, I would really like to not have to configure proxy settings on my PCs - mainly because I run many applications that don't have proxy settings and so, don't play nice with proxy servers.
Thanks,
MediocreFred. -
What in /tmp/rules.debug section
# havp proxy ifaces redirect
-
Thanks for the quick response. Here's the relevant section from /tmp/rules.debug:
# havp proxy ifaces redirect rdr on em1 proto tcp from any to !(em1) port 80 -> lo0 port 3125 rdr on em1 proto tcp from any to (em1) port 3125 -> lo0 port 3125 rdr on em3 proto tcp from any to !(em3) port 80 -> lo0 port 3125 rdr on em3 proto tcp from any to (em3) port 3125 -> lo0 port 3125
There is also this related section:
# havp proxy ifaces rules pass in quick on em1 proto tcp from any to !(em1) port 80 flags S/SA keep state pass in quick on em3 proto tcp from any to !(em3) port 80 flags S/SA keep state
What in /tmp/rules.debug section
# havp proxy ifaces redirect
-
Hm.. all right.
If you interfaces not bridged - must work.File /var/log/havp/access.log contains last clients requests. Check pls what content in this file.
-
The access.log file is empty. I tried loading a few pages in my browser including the eicar page and initiated a download of the eicar after clearing my browser cache. Went back and looked at the access.log. Still Nothing.
Please let me know where to look next.
Thanks.
Hm.. all right.
If you interfaces not bridged - must work.File /var/log/havp/access.log contains last clients requests. Check pls what content in this file.
-
Pls setup proxy settings in you browser and test howto work this.
-
I have tried everything I can think of -
1. Uninstalled and reinstalled havp from the UI.
2. Used pkg_delete to delete havp, clamav and arj.
3. Reinstalled havp using pkg_add using the following -
```
pkg_add -r havp http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/havp.tbzThis appears to install newer versions of havp, clamav and arj; however, I don't see any way to configure this using the PFSense UI. No idea what is involved in configuring this manually. 4\. Reinstalled the havp from the pfsense package manager. 5\. Changed the Proxy mode to "Standard". Set the port to "8080". On my PC, I set the proxy settings in Internet Explorer to the IP address of pfsense and port 8080\. Can't access the internet at all with this proxy setting. However, nothing gets logged in either /var/log/havp/access.log or /var/log/havp/havp.log What am I doing wrong? I would really like to get this working. Thanks.
-
Oddly I have always been able to download those files on my setup and nothing ever gets logged to the files in /var/log/havp but I know it does some good as I find quite a few of this type of message on the syslog server.
havp[49826]: 172.31.225.226 GET 301 http://www.themoscowtimes.com/news/article/police-upgrade-web-site-ahead-of-reforms/431422.html 901+28129 VIRUS Clamd: Exploit.JS.CVE-2006-1359
PLEASE DO NOT CHECK THAT URL UNLESS YOUR ANTI-VIRUS IS UP TO DATE.
-
hi, just following up if this was resolved…
I just reinstalled pfsense (on a new box) and have run into the same exact situation.
any hints or pointers are much appreciated.
-
just blew the box away and installed 2.0 RC1 and seeing the same behavior in this.
-
weird but rebooting the system after seems to make it work - maybe i just needed to 'rehash' from ssh…