Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Howto: install Dansguardian on pfSense 2.0

    Scheduled Pinned Locked Moved Documentation
    28 Posts 9 Posters 90.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      ZGruk
      last edited by

      This guide assumes that you have pfSense 2.0 and that you have
      installed squid from the packages list in the webConfigurator.

      This guide was tested on a box with the following specifications:

      CPU: 500Mhz AMD Geode
      Memory: 1GB
      pfSense version: 2.0
      squid version: 2.7.9_4.2
      Dansguardian version 2.12.0.0 alpha

      Due to the lack of development tools (such as make, gcc, etc) it is impossible
      to compile Dansguardian from source in pfSense. To get around this, you can
      install it on a FreeBSD system, and then copy the pertinent files to pfSense.
      I installed Dansguardian on a FreeBSD system in VirtualBox and then packaged
      the files into a tar file, which is available at https://sites.google.com/site/computdoctrinae/home/files.
      The version of Dansguardian from which this tar is derived is 2.12.0.0 alpha.
      I will add a link to a tar from the latest stable version later.  
      The tar contains the following folders:

      1. sharedoc – this folder has a dansguardian folder in it, which should be copied.
      2. Share – this folder also has a dansguardian folder in it.
      3. Sbin – this folder has the dansguardian executable in it.
      4. Etc – this folder has a dansguardian folder in it
      5. varlog – this folder has a dansguardian folder in it.

      The dansguardian folders and executable should be copied into
      their respective folders on the pfSense system with the root at /usr/local/.
      Thus the sharedoc dansguardian folder goes in /usr/local/share/doc/,
      the share dansguardian folder goes in /usr/local/share/, the varlog dansguardian
      folder goes in /usr/local/var/log/, etc. After this simply running the “dansguardian”
      command should be all that is necessary to start it running. If you get
      an error that the /usr/local/var/log/dansguardian/access.log file
      cannot be accessed or created, you will need to change the
      permissions on that file to allow access from anyone.

      chmod a+rw /usr/local/var/log/dansguardian/access.log
      

      Once dansguardian is running, it is necessary to configure pfSense to forward all traffic through port 8080, which is the default dansguardian port. Add a rule to the Firewall → NAT → Port Forward page in your webConfigurator with the following settings:

      Interface: LAN
      Protocol: TCP
      Source: LAN subnet
      Destination: any
      Destination Port: HTTP to HTTP
      Redirect IP: <the ip="" of="" your="" pfsense="" box="">Redirect Target Port: 8080

      Leave all the other settings default. Make sure and apply the changes after
      you save the rule. At this point filtering should work. To test you can add
      a site to the bannedsitelist file in /usr/local/etc/dansguardian/lists, reboot dansguardian using

      dansguardian -Q
      

      and then try to view that site from your browser.
      At this point all normal traffic goes through dansguardian. It is still possible, though, for someone to
      force the browser to go through port 3128 (the squid port) and thus circumvent dansguardian.
      To prevent this, add another entry to the Port Forwarding area to redirect all traffic on port 3128
      to port 8080 (instead of HTTP to 8080).

      NOTE 1: With these settings, secure connections (HTTPS) are not forwarded and hence are not filtered,
      since doing so would undermine the security of the connection. If you wish to filter this traffic as well
      add a third rule forwarding HTTPS to port 8080.

      NOTE 2: I was under the impression that enabling the caching function of squid was necessary to make
      dansguardian work. I have turned off caching and dansguardian still seems to work… But if someone else
      knows better, I would like to know.

      After installing dansguardian, I would highly recommend changing some of the default settings, particularly the "naughtiness level" in dansguardianf1.conf (which is in /usr/local/etc/dansguardian), since by default a number of perfectly legitimate sites are blocked as
      having Japanese or Norwegian pornography. These include Facebook, Netflix, iTunes, some Google searches, and I'm sure others that I haven't run across.

      I have only tested this on the embedded version of pfSense. It should work on the full version.

      I don't know whether this will work on an older version pfSense. I think probably not. Any feedback would be appreciated.</the>

      1 Reply Last reply Reply Quote 0
      • C
        Cino
        last edited by

        nice write up! Have you looked into maybe making this into a package?

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          I'll try this, if it works as expected, I can help on package…

          worderfull News!!! finaly a web content analyser for pfsense.

          excelent work ZGruk!!  :)

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • Z
            ZGruk
            last edited by

            UPDATE:

            So, after a month or so of using this I've found out some things:

            Dansguardian definitely works without squid caching.
            Which is good for me, since it was filling up my little 2GB CF card very quickly.

            The log file (access.log) can also get rather large over time. About 100 Mb in a month.

            I turned down the "naughtiness level" and I still get "Japanese pornography" every once in a while.
            Generally reloading the page once is all that's necessary to get rid of it. Or you could turn it down farther.

            –----------------------

            I looked into making this into a package, and it looked rather complicated and time consuming.
            If someone wants to do it I'll be glad to help all I can, and if not, maybe one of these day's I'll do it myself.

            1 Reply Last reply Reply Quote 0
            • JackLJ
              JackL
              last edited by

              Congratulations for you work with this guide.

              We, the brazilian portuguese forum, we made sure to draw attention to him: http://forum.pfsense.org/index.php/topic,42641.msg226605.html#msg226605

              The guide also worked with one thread in our mailing list: http://lists.pfsense.org/pipermail/pfsense-pt/2011-December/000407.html

              [] 's
              Jack

              Treinamentos de Elite: http://sys-squad.com
              Soluções: https://conexti.com.br

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                I can help in dansguardian package since i finish mailscanner package.

                Do you have 32 and 64 bits version or compilation args you used?

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • Z
                  ZGruk
                  last edited by

                  The files I posted are from a 32-bit version. I didn't use any compilation arguments. Keep in mind, however, that I didn't compile it in pfSense. I compiled it in FreeBSD and copied the resulting files to pfSense.

                  –-------------------

                  If you're interested in working on this, we should probably open a thread in the Packages section of the forum.

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    package topic for dansguardian

                    http://forum.pfsense.org/index.php/topic,43786.msg226796.html#msg226796

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • G
                      gadams65
                      last edited by

                      First I need to thank whoever ported Dansguardian to pfSense.  I had been using Dansguardian on IPCop for years and pfSense is such a superior firewall that I was hoping someday that Dansguardian would get ported.

                      I have created the three NAT rules as mentioned in this post, but it would appear that the https rule is not working.  It blocks all https traffic when I try to go through the firewall transparently without configuring my browser to use a proxy.  If I configure my browser to use a proxy, https filtering seems to work.  My preference is of course to run transparently.  Any ideas?

                      1 Reply Last reply Reply Quote 0
                      • marcellocM
                        marcelloc
                        last edited by

                        Did you installed dansguardian package for pfsense?

                        This guide is to install it by hand with no gui.

                        I'm not sure if https can be used in transparente mode.

                        proxy WPAD/PAC/auto configuration using dns+dhcp is the best way to configure browsers in a "transparent" way

                        Treinamentos de Elite: http://sys-squad.com

                        Help a community developer! ;D

                        1 Reply Last reply Reply Quote 0
                        • G
                          gadams65
                          last edited by

                          Yes I did install the package.  Even with installing through the package I had to add the HTTP and 3128 NAT rules for it to work though.

                          Okay I'll try forcing browsers to autoconfig using dns+dhcp as you recommend.  Thank you!!

                          1 Reply Last reply Reply Quote 0
                          • V
                            valshare
                            last edited by

                            @gadams65:

                            Okay I'll try forcing browsers to autoconfig using dns+dhcp as you recommend.  Thank you!!

                            Hi gadams65, any news about https and transparent mode?

                            REgards, Valle

                            1 Reply Last reply Reply Quote 0
                            • K
                              kryptos
                              last edited by

                              Thanks for this howto I now have a working filtering. I have a question where is exception IP list located? I tried looking the menu I don't find any. Does it mean I need to configure it manually?

                              Thanks
                              Rocel

                              1 Reply Last reply Reply Quote 0
                              • K
                                kryptos
                                last edited by

                                Thanks for this howto I now have a working filtering. I have a question where is exception IP list located? I tried looking the menu I don't find any. Does it mean I need to configure it manually?

                                Thanks
                                Rocel

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kryptos
                                  last edited by

                                  Thanks for this howto I now have a working filtering. I have a question where is exception IP list located? I tried looking the menu I don't find any. Does it mean I need to configure it manually?

                                  Thanks
                                  Rocel

                                  1 Reply Last reply Reply Quote 0
                                  • marcellocM
                                    marcelloc
                                    last edited by

                                    @kryptos:

                                    Where is exception IP list located?

                                    The file location is /usr/local/etc/dansguardian/lists/exceptioniplist.

                                    I've checked and it's really missing on gui, I'll include it.

                                    att,
                                    Marcello Coutinho

                                    Treinamentos de Elite: http://sys-squad.com

                                    Help a community developer! ;D

                                    1 Reply Last reply Reply Quote 0
                                    • marcellocM
                                      marcelloc
                                      last edited by

                                      version 0.1.5.4 of dansguardian package includes exceptioniplist missing field.

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • H
                                        hf
                                        last edited by

                                        Hi, I had DG and Squid running perfectly till….... I changed the reporting to "full reporting" then everything went down. I wasn't able to restart DG from the service manager and reboot, so i tried to reinstall the pkg. and Squid went down so reinstalled it as well, So now somehow both don't restart. any help would be appreciated.
                                        TIA

                                        P.S. in general DG doesn't start from the pkg menu.

                                        1 Reply Last reply Reply Quote 0
                                        • marcellocM
                                          marcelloc
                                          last edited by

                                          Services tab on 2.0.1 needs a Fix.

                                          Are you using squid3? If so, reinstall it after dansguadian.

                                          Try to start dansguardian on console to check if it's returning errors.

                                          Treinamentos de Elite: http://sys-squad.com

                                          Help a community developer! ;D

                                          1 Reply Last reply Reply Quote 0
                                          • H
                                            hf
                                            last edited by

                                            Thanks, I have installed version 2. I looked into the system logs and ..

                                            root: /usr/local/etc/rc.d/dansguardian.sh: WARNING: failed to start dansguardian

                                            php: /pkg_edit.php: The command '/usr/local/etc/rc.d/dansguardian.sh start' returned exit code '1', the output was 'kern.ipc.somaxconn: 16384 -> 16384 kern.maxfiles: 131072 -> 131072 kern.maxfilesperproc: 104856 -> 104856 kern.threads.max_threads_per_proc: 4096 -> 4096 Starting dansguardian. Error reading file /usr/local/etc/dansguardian/lists/blacklists/artnudes/urls: No such file or directory Error reading file /usr/local/etc/dansguardian/lists/blacklists/artnudes/urls: No such file or directory Error opening file: /usr/local/etc/dansguardian/lists/blacklists/artnudes/urls Error opening bannedurllist Error opening filter group config: /usr/local/etc/dansguardian/dansguardianf1.conf Error reading filter group conf file(s). Error parsing the dansguardian.conf file or other DansGuardian configuration files /usr/local/etc/rc.d/dansguardian.sh: WARNING: failed to start dansguardian'

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.