Dansguardian package for 2.0
-
Tried to completely reinstall pfsense from scratch, imported my config and reinstalled 1) squid and 2) dansguardian. Both installation run without errors - but still no menu entry from dansguardian.
Anyone can help us?I ran into the same problem myself this morning. I resolved it by just going to my installed packages menu and clicking the button to reinstall Dansguardian. Then it showed up in my menu.
-
Thanks rj for your response. Things will probably make more sense to me once I start setting things up. My concern is trying to install both the proxy (Squid) and the content filtering (Dansguardian) and not having either work. So I would like to get the proxy set up and working first, then after I know that is working then get the content filtering up.
My question about the proxy on all NICs has to do with things like game consoles or satellite STBs not working well with proxies. I assume for PCs when using internet browsers most would chose automatically detect proxy settings and that would work. What about other programs such as apps on a cell phone that may not like being behind a proxy?
In attempt to clarify my questions from my August 20th post here goes (sorry for being a newbie):
#1 For the Squid proxy to work do you have to set up a firewall rule on each NIC to pass traffic to the loopback 3128 port? I ask because for Dansguardian a firewall rule must be created yes?
#2 So you first set up the proxy on port 3128, then Dansguardian is set up on 8080. If browser have automatically detect proxy settings is it going to pass through both 8080 and then 3128?
#3 Is the loopback address per NIC? So like if I have multiple NICs I would have to enable squid on each loopback address port 3128 yes?
-
Your approach is fine, but you can install both and just not turn on dans until you're ready. As far as auto detection of the proxy, you need to setup the PAC file along with some other stuff in DNS or DHCP to make it work. You can search the forums for instructions.
Your point on problems through proxies is legitimate as well. I have a range reserved (192.168.5.200/29) that is allowed to directly access the internet without going through dans and the proxy. Let me try to address your other questions…
#1. You do not need to create any firewall rules to get dans or the proxy working. You will need to create a NAT rule if you want to transparently proxy (i.e. do it without setting the proxy in the browser).
#2. The browser will point to 8080 only. Dans passes to squid (3128) based on its config. If you want to test just squid - then set the browser proxy to 3128.
#3. I don't know the answer to this question... sorry. -
This last weekend I setup a new pfsense GUI user. Just wondering if there is a way to disable the Dansguardian menu for the new user…
In other words, I did the following:
1.) setup a group with specific rights - didn't give it anything specific to dansguardian (actually didn't see anything on the list).
2.) created a users and assigned it to the above groupWhen I login with the new user it appears that the group assignment worked correctly (i.e. user does not have GUI rights that it should not). However Dans is still accessible and active from the menu. Did I miss something? Is there any way to remove the Dansguardian menu from certain users?
-
On 2.1 yes. I did not include the permission file yet.
On 2.0.1 you can deny access to all xml file using postfix permissions file.
download http://www.pfsense.org/packages/config/postfix/postfix.priv.inc to /etc/inc/priv to have "WebCfg - Services: All xml pages (config)." listed on user permissions.
-
@namek:
I had a question - What is the significance/use of the "Anti-virus" TAB on the access lists in Dansguardian?
What does it do?
And the other - found a typo that you can fix the next time you update the package (Services->Dansguardian -> Access Lists -> "Phase", which I suppose should be Phrase..UPDATE - I believe this only needs to be fixed at /usr/local/pkg/dansguardian_antivirus_acl.xml, rest of the xml files have the correct spelling.
Dans will do virus scanning using clamav. This tab makes changes to the files that control what it scans.
-
We just had a problem with our setup, we have pfsense 2.0.1, multi-wan and dansguardian (including all per-requisite like squid). The problem is if the listening interface is on LAN all client computers will go to the gateway1 (WAN1). What we want is to be able to shift between gateway1 (WAN1) and gateway2 (WAN2/OPT1) on selected computers without interrupting the site filtering or blocking. Is there any possible solution for this problem? Just correct me if I posted it in the wrong thread…
-
What we want is to be able to shift between gateway1 (WAN1) and gateway2 (WAN2/OPT1) on selected computers without interrupting the site filtering or blocking. Is there any possible solution for this ?
You will need one proxy for each LAN and another pfsense to balance/failover proxy access.
-
What we want is to be able to shift between gateway1 (WAN1) and gateway2 (WAN2/OPT1) on selected computers without interrupting the site filtering or blocking. Is there any possible solution for this ?
You will need one proxy for each LAN and another pfsense to balance/failover proxy access.
Is it possible in just one pfsense server, because each computers are added on the LAN rules so we could change gateway for each computers. We only have one LAN network and proxy caching is not needed on our end, the only we need on dansguardian is the filtering / blocking feature.
-
After forwarding it to dansguardian, all requests will be from 127.0.0.1 instead of client IP.
You can create balance/fail over rules for all requests but not based on client IP.
-
After forwarding it to dansguardian, all requests will be from 127.0.0.1 instead of client IP.
You can create balance/fail over rules for all requests but not based on client IP.
What did you mean by that? Our WAN1 is solely for all computers in our office and WAN2 is dedicated for our servers, so we do not want to use load balancing for all computers.
-
I mean that you can create rules for all proxy(squid,dansguardian,etc,…) requests at floating rules tab but not based on client IP as it will have 127.0.0.1 as source address.
-
I mean that you can create rules for all proxy(squid,dansguardian,etc,…) requests at floating rules tab but not based on client IP as it will have 127.0.0.1 as source address.
Is it on source address and port or destination address and port for floating rule? Do I need to set the gateway for the floating rule?
-
I still have problem with the gateway configuration on dansguardian, we really want to use two gateways at the same time based on the gateway rules set for specific client computers and servers…
-
I still have problem with the gateway configuration on dansguardian, we really want to use two gateways at the same time based on the gateway rules set for specific client computers and servers…
This is not a dansguardian/pfsense problem, it's a project conception problem/mistake. Any proxy you configure on gateway/firewall will do the same way.
-
I still have problem with the gateway configuration on dansguardian, we really want to use two gateways at the same time based on the gateway rules set for specific client computers and servers…
This is not a dansguardian/pfsense problem, it's a project conception problem/mistake. Any proxy you configure on gateway/firewall will do the same way.
So, you mean that our plan to use both gateways (dual wan) at the same time with dansguardian will not work? We do not have intention to use the proxy, the only we need is the blocking feature of dansguardian on one pfsense server only.
-
This came back on my topic list recently. I just did an install with Dansguardian using SSO for NTLM authentication and made a bunch of notes (hopefully in the next week). Once I make them generic and presentable I will post them for everyone's benefit. I wanted to check back on the multiple authentication methods patch to see if there has been any progress on that. I know with all the tablets that it would be good to use both NTLM and IP address depending on if it is a windows box or something that is not logged into with a user name like a tablet.
Also for analysis of the logs is SARG the best tool for Dansguardian logs? Also is there anything that might be able to send reports out via email (not sure if this is built into SARG or not).
-
I tried Sarg and wasn't real happy with it. Ended up just installing a minimal version of webmin and the webmin dansguardian module…
This came back on my topic list recently. I just did an install with Dansguardian using SSO for NTLM authentication and made a bunch of notes (hopefully in the next week). Once I make them generic and presentable I will post them for everyone's benefit. I wanted to check back on the multiple authentication methods patch to see if there has been any progress on that. I know with all the tablets that it would be good to use both NTLM and IP address depending on if it is a windows box or something that is not logged into with a user name like a tablet.
Also for analysis of the logs is SARG the best tool for Dansguardian logs? Also is there anything that might be able to send reports out via email (not sure if this is built into SARG or not).
-
I tried Sarg and wasn't real happy with it. Ended up just installing a minimal version of webmin and the webmin dansguardian module…
I don't suppose you have a how to or list of steps? If so, I'd give it a whirl because I am also a little underwhelmed with SARG.
-
So, you mean that our plan to use both gateways (dual wan) at the same time with dansguardian will not work?
Will work, all traffic can go with loadbalance/failover but not based on source address.
