HAVP without Squid. Does not block anything

MediocreFred

I have PFSense v1.2.3 running with a WAN, LAN and OPT interfaces. I have snort v2.8.6.1 installed and running fine. I am now trying to get HAVP installed without Squid.

HAVP installed with no errors. I have updated the ClamAV databases and have configured HAVP as follows:

HTTP Proxy page
    Enable - checked
    Proxy Mode - Transparent
    Proxy Interface(s) - LAN, OPT
    Proxy Port - 3125
    Block file if error scanning - checked
    Enable RAM disk - checked
    Scan max file size - 2500 K
    Scan Images - checked
    Scan media stream - checked
    Log and Syslog - checked

The General page shows both the HTTP Antivirus proxy as well as the Antivirus Server as running. I can restart the Proxy just fine.

Here is what is in the System Log when I restart the proxy service:

Feb 18 07:50:54 	havp[20650]: Process ID: 20650
Feb 18 07:50:54 	havp[20649]: --- All scanners initialized
Feb 18 07:50:54 	havp[20649]: Clamd Socket Scanner passed EICAR virus test (Eicar-Test-Signature)
Feb 18 07:50:54 	havp[20649]: --- Initializing Clamd Socket Scanner
Feb 18 07:50:54 	havp[20649]: Use transparent proxy mode
Feb 18 07:50:54 	havp[20649]: Running as user: havp, group: havp
Feb 18 07:50:54 	havp[20649]: === Mandatory locking disabled! KEEPBACK settings not used!
Feb 18 07:50:54 	havp[20649]: === Starting HAVP Version: 0.91

My understanding of the Transparent mode is "all 'http' requests on interface(s) will be translated to the HAVP proxy server without any client(s) additional configuration necessary". So, I should be able to browse as usual from my computers on the LAN without configuring any special proxy settings on my browsers. Is this true?

Now, when I launch a browser on my PC and browse to the EICAR test page, I am able to download the EICAR com and zip files just fine (The AV on my PC catches them after they are downloaded and deletes them). HAVP doesn't see them and nothing gets logged in the pfsense System Logs.

What am I doing wrong? Please help me get HAVP working without Squid. Also, I would really like to not have to configure proxy settings on my PCs - mainly because I run many applications that don't have proxy settings and so, don't play nice with proxy servers.

Thanks,
MediocreFred.

dvserg

What in /tmp/rules.debug section

# havp proxy ifaces redirect

MediocreFred

Thanks for the quick response. Here's the relevant section from /tmp/rules.debug:

# havp proxy ifaces redirect
rdr on em1 proto tcp from any to !(em1) port 80 -> lo0 port 3125
rdr on em1 proto tcp from any to (em1) port 3125 -> lo0 port 3125
rdr on em3 proto tcp from any to !(em3) port 80 -> lo0 port 3125
rdr on em3 proto tcp from any to (em3) port 3125 -> lo0 port 3125

There is also this related section:

# havp proxy ifaces rules
pass in quick on em1 proto tcp from any to !(em1) port 80 flags S/SA keep state
pass in quick on em3 proto tcp from any to !(em3) port 80 flags S/SA keep state

@dvserg:

What in /tmp/rules.debug section

# havp proxy ifaces redirect

dvserg

Hm.. all right.
If you interfaces not bridged - must work.

File /var/log/havp/access.log contains last clients requests. Check pls what content in this file.

MediocreFred

The access.log file is empty. I tried loading a few pages in my browser including the eicar page and initiated a download of the eicar after clearing my browser cache. Went back and looked at the access.log. Still Nothing.

Please let me know where to look next.

Thanks.

@dvserg:

Hm.. all right.
If you interfaces not bridged - must work.

File /var/log/havp/access.log contains last clients requests. Check pls what content in this file.

dvserg

Pls setup proxy settings in you browser and test howto work this.

MediocreFred

I have tried everything I can think of -
1. Uninstalled and reinstalled havp from the UI.
2. Used pkg_delete to delete havp, clamav and arj.
3. Reinstalled havp using pkg_add using the following -
   ```
pkg_add -r havp http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/havp.tbz

    This appears to install newer versions of havp, clamav and arj; however, I don't see any way to configure this using the PFSense UI. No idea what is involved in configuring this manually.
4\. Reinstalled the havp from the pfsense package manager.
5\. Changed the Proxy mode to "Standard". Set the port to "8080". On my PC, I set the proxy settings in Internet Explorer to the IP address of pfsense and port 8080\. Can't access the internet at all with this proxy setting.

However, nothing gets logged in either /var/log/havp/access.log or /var/log/havp/havp.log

What am I doing wrong? I would really like to get this working.

Thanks.

Gloom

Oddly I have always been able to download those files on my setup and nothing ever gets logged to the files in /var/log/havp but I know it does some good as I find quite a few of this type of message on the syslog server.

havp[49826]: 172.31.225.226 GET 301 http://www.themoscowtimes.com/news/article/police-upgrade-web-site-ahead-of-reforms/431422.html 901+28129 VIRUS Clamd: Exploit.JS.CVE-2006-1359

PLEASE DO NOT CHECK THAT URL UNLESS YOUR ANTI-VIRUS IS UP TO DATE.

mshundal

hi, just following up if this was resolved…

I just reinstalled pfsense (on a new box) and have run into the same exact situation.

any hints or pointers are much appreciated.

mshundal

just blew the box away and installed 2.0 RC1 and seeing the same behavior in this.

mshundal

weird but rebooting the system after seems to make it work - maybe i just needed to 'rehash' from ssh…