Howto: install Dansguardian on pfSense 2.0



  • This guide assumes that you have pfSense 2.0 and that you have
    installed squid from the packages list in the webConfigurator.

    This guide was tested on a box with the following specifications:

    CPU: 500Mhz AMD Geode
    Memory: 1GB
    pfSense version: 2.0
    squid version: 2.7.9_4.2
    Dansguardian version 2.12.0.0 alpha

    Due to the lack of development tools (such as make, gcc, etc) it is impossible
    to compile Dansguardian from source in pfSense. To get around this, you can
    install it on a FreeBSD system, and then copy the pertinent files to pfSense.
    I installed Dansguardian on a FreeBSD system in VirtualBox and then packaged
    the files into a tar file, which is available at https://sites.google.com/site/computdoctrinae/home/files.
    The version of Dansguardian from which this tar is derived is 2.12.0.0 alpha.
    I will add a link to a tar from the latest stable version later.  
    The tar contains the following folders:

    1. sharedoc – this folder has a dansguardian folder in it, which should be copied.
    2. Share – this folder also has a dansguardian folder in it.
    3. Sbin – this folder has the dansguardian executable in it.
    4. Etc – this folder has a dansguardian folder in it
    5. varlog – this folder has a dansguardian folder in it.

    The dansguardian folders and executable should be copied into
    their respective folders on the pfSense system with the root at /usr/local/.
    Thus the sharedoc dansguardian folder goes in /usr/local/share/doc/,
    the share dansguardian folder goes in /usr/local/share/, the varlog dansguardian
    folder goes in /usr/local/var/log/, etc. After this simply running the “dansguardian”
    command should be all that is necessary to start it running. If you get
    an error that the /usr/local/var/log/dansguardian/access.log file
    cannot be accessed or created, you will need to change the
    permissions on that file to allow access from anyone.

    chmod a+rw /usr/local/var/log/dansguardian/access.log
    

    Once dansguardian is running, it is necessary to configure pfSense to forward all traffic through port 8080, which is the default dansguardian port. Add a rule to the Firewall → NAT → Port Forward page in your webConfigurator with the following settings:

    Interface: LAN
    Protocol: TCP
    Source: LAN subnet
    Destination: any
    Destination Port: HTTP to HTTP
    Redirect IP: <the ip="" of="" your="" pfsense="" box="">Redirect Target Port: 8080

    Leave all the other settings default. Make sure and apply the changes after
    you save the rule. At this point filtering should work. To test you can add
    a site to the bannedsitelist file in /usr/local/etc/dansguardian/lists, reboot dansguardian using

    dansguardian -Q
    

    and then try to view that site from your browser.
    At this point all normal traffic goes through dansguardian. It is still possible, though, for someone to
    force the browser to go through port 3128 (the squid port) and thus circumvent dansguardian.
    To prevent this, add another entry to the Port Forwarding area to redirect all traffic on port 3128
    to port 8080 (instead of HTTP to 8080).

    NOTE 1: With these settings, secure connections (HTTPS) are not forwarded and hence are not filtered,
    since doing so would undermine the security of the connection. If you wish to filter this traffic as well
    add a third rule forwarding HTTPS to port 8080.

    NOTE 2: I was under the impression that enabling the caching function of squid was necessary to make
    dansguardian work. I have turned off caching and dansguardian still seems to work… But if someone else
    knows better, I would like to know.

    After installing dansguardian, I would highly recommend changing some of the default settings, particularly the “naughtiness level” in dansguardianf1.conf (which is in /usr/local/etc/dansguardian), since by default a number of perfectly legitimate sites are blocked as
    having Japanese or Norwegian pornography. These include Facebook, Netflix, iTunes, some Google searches, and I’m sure others that I haven’t run across.

    I have only tested this on the embedded version of pfSense. It should work on the full version.

    I don’t know whether this will work on an older version pfSense. I think probably not. Any feedback would be appreciated.</the>



  • nice write up! Have you looked into maybe making this into a package?



  • I’ll try this, if it works as expected, I can help on package…

    worderfull News!!! finaly a web content analyser for pfsense.

    excelent work ZGruk!!  🙂



  • UPDATE:

    So, after a month or so of using this I’ve found out some things:

    Dansguardian definitely works without squid caching.
    Which is good for me, since it was filling up my little 2GB CF card very quickly.

    The log file (access.log) can also get rather large over time. About 100 Mb in a month.

    I turned down the “naughtiness level” and I still get “Japanese pornography” every once in a while.
    Generally reloading the page once is all that’s necessary to get rid of it. Or you could turn it down farther.

    –----------------------

    I looked into making this into a package, and it looked rather complicated and time consuming.
    If someone wants to do it I’ll be glad to help all I can, and if not, maybe one of these day’s I’ll do it myself.



  • Congratulations for you work with this guide.

    We, the brazilian portuguese forum, we made sure to draw attention to him: http://forum.pfsense.org/index.php/topic,42641.msg226605.html#msg226605

    The guide also worked with one thread in our mailing list: http://lists.pfsense.org/pipermail/pfsense-pt/2011-December/000407.html

    [] 's
    Jack



  • I can help in dansguardian package since i finish mailscanner package.

    Do you have 32 and 64 bits version or compilation args you used?



  • The files I posted are from a 32-bit version. I didn’t use any compilation arguments. Keep in mind, however, that I didn’t compile it in pfSense. I compiled it in FreeBSD and copied the resulting files to pfSense.

    –-------------------

    If you’re interested in working on this, we should probably open a thread in the Packages section of the forum.





  • First I need to thank whoever ported Dansguardian to pfSense.  I had been using Dansguardian on IPCop for years and pfSense is such a superior firewall that I was hoping someday that Dansguardian would get ported.

    I have created the three NAT rules as mentioned in this post, but it would appear that the https rule is not working.  It blocks all https traffic when I try to go through the firewall transparently without configuring my browser to use a proxy.  If I configure my browser to use a proxy, https filtering seems to work.  My preference is of course to run transparently.  Any ideas?



  • Did you installed dansguardian package for pfsense?

    This guide is to install it by hand with no gui.

    I’m not sure if https can be used in transparente mode.

    proxy WPAD/PAC/auto configuration using dns+dhcp is the best way to configure browsers in a “transparent” way



  • Yes I did install the package.  Even with installing through the package I had to add the HTTP and 3128 NAT rules for it to work though.

    Okay I’ll try forcing browsers to autoconfig using dns+dhcp as you recommend.  Thank you!!



  • @gadams65:

    Okay I’ll try forcing browsers to autoconfig using dns+dhcp as you recommend.  Thank you!!

    Hi gadams65, any news about https and transparent mode?

    REgards, Valle



  • Thanks for this howto I now have a working filtering. I have a question where is exception IP list located? I tried looking the menu I don’t find any. Does it mean I need to configure it manually?

    Thanks
    Rocel



  • Thanks for this howto I now have a working filtering. I have a question where is exception IP list located? I tried looking the menu I don’t find any. Does it mean I need to configure it manually?

    Thanks
    Rocel



  • Thanks for this howto I now have a working filtering. I have a question where is exception IP list located? I tried looking the menu I don’t find any. Does it mean I need to configure it manually?

    Thanks
    Rocel



  • @kryptos:

    Where is exception IP list located?

    The file location is /usr/local/etc/dansguardian/lists/exceptioniplist.

    I’ve checked and it’s really missing on gui, I’ll include it.

    att,
    Marcello Coutinho



  • version 0.1.5.4 of dansguardian package includes exceptioniplist missing field.



  • Hi, I had DG and Squid running perfectly till…… I changed the reporting to “full reporting” then everything went down. I wasn’t able to restart DG from the service manager and reboot, so i tried to reinstall the pkg. and Squid went down so reinstalled it as well, So now somehow both don’t restart. any help would be appreciated.
    TIA

    P.S. in general DG doesn’t start from the pkg menu.



  • Services tab on 2.0.1 needs a Fix.

    Are you using squid3? If so, reinstall it after dansguadian.

    Try to start dansguardian on console to check if it’s returning errors.



  • Thanks, I have installed version 2. I looked into the system logs and …

    root: /usr/local/etc/rc.d/dansguardian.sh: WARNING: failed to start dansguardian

    php: /pkg_edit.php: The command ‘/usr/local/etc/rc.d/dansguardian.sh start’ returned exit code ‘1’, the output was ‘kern.ipc.somaxconn: 16384 -> 16384 kern.maxfiles: 131072 -> 131072 kern.maxfilesperproc: 104856 -> 104856 kern.threads.max_threads_per_proc: 4096 -> 4096 Starting dansguardian. Error reading file /usr/local/etc/dansguardian/lists/blacklists/artnudes/urls: No such file or directory Error reading file /usr/local/etc/dansguardian/lists/blacklists/artnudes/urls: No such file or directory Error opening file: /usr/local/etc/dansguardian/lists/blacklists/artnudes/urls Error opening bannedurllist Error opening filter group config: /usr/local/etc/dansguardian/dansguardianf1.conf Error reading filter group conf file(s). Error parsing the dansguardian.conf file or other DansGuardian configuration files /usr/local/etc/rc.d/dansguardian.sh: WARNING: failed to start dansguardian’



  • check all config tabs, startup script is looking for files that was not created by package config.



  • Thanks, so far, so good



  • It’s on IP tab  😉



  • Hello,
    I followed the instruction on how to do the setup. All fine and all works.
    I get a issue with squid not starting so I reinstalled it. Both DG and squid start.

    But nothing is blocked. what am I missing?

    Thanks
    Iain



  • @luxmoggy:

    But nothing is blocked. what am I missing?

    what you get on system logs?

    did you tried to stop dansguardian and start again?

    Are you using 2.12.0.3 or 2.12.0.3_1?



  • Hello
    So I am using
    Dansguardian 2.12.0.3 pkg v.0.1.7_3
    Squid 3.1.20 pkg 2.0.6

    I uninstalled both and rebooted. And installed one at a time, rebooting inbetween.
    Both services are running without issues now.

    Still not blocking the example site. “Badboys.com”.
    Will check log later.

    Thanks



  • Hello,
    No real changes and it is working again….
    Is it taking the time setting from somewhere… I haven’t enabled it

    Time limiting syntax:

    #time: <start hour=""><start minute=""><end hour=""><end minute=""><days># Example:

    ##time: 9 0 17 0 01234

    Remove the first # from the line above to enable this list only from

    9am to 5pm, Monday to Friday.

    Will add a few screen shots later.</days></end></end></start></start>



  • to confirm it, try to mess up the time config like

    #tixmxex: 9 0 17 0 01234
    

Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy