Dansguardian package for 2.0
-
Where are the actual config files for dansguardian located? I've noticed when I change them in the GUI (ACL -> Site Lists for example) they don't change in the files on the machine (in /usr/local/dansguardian/lists/bannedsitelist for example). And conversely, editing bannedsitelist using vi doesn't actually block any sites. I assume there are actual files somewhere on the machine that are getting changed when I change it in the GUI, but I haven't been able to find them.
-
Where are the actual config files for dansguardian located? I've noticed when I change them in the GUI (ACL -> Site Lists for example) they don't change in the files on the machine (in /usr/local/dansguardian/lists/bannedsitelist for example). And conversely, editing bannedsitelist using vi doesn't actually block any sites. I assume there are actual files somewhere on the machine that are getting changed when I change it in the GUI, but I haven't been able to find them.
/usr/local/etc/dansguardian
/usr/local/etc/dansguardian/listsThe config gets written to the config.xml file (see /conf/config.xml) and then propogated to the appropriate files in the config directories. If you change the files manually, it will be overwritten by what is in the config.xml when you save on the GUI or when you reboot. Confusing part about the config.xml file is that the XML element values are often encoded - so you can't really read it if you just bring the file up in VI.
-
Hi, first post here on pfsense forum. I'm a newbie in pfsense, only one week using it, and I have a question.
I've installed dansguardian 2.12.0.3 on pfsense 2.1-RELEASE (amd64), and update the blacklist with shalla's list.
Everything is working fine, but the categories in the Exception part of the Site Lists ACLs are greyed out, there is no categories on the list. The Banned portion of the Site Lists ACLs shows all the categories. Theres something that I'm missing?Thanks!
Edit:
I've found the problem. In blacklist options, i've selected only to list the categories on the Banned section, and I should have selected to show the list in the section banned and exception.
-
When using multiple auth mechanisms, how to do specify the order? For example, I have authentication working with AD but there are also phone and other non-computer devices I need to authenticate via IP.
If I select both of those, it puts the IP auth line in the config file first so it tries that first. It will "always" see the IP in my case so it will never use the AD authentication (NTLM). I can manually change the conf file but then it gets overwritten on the next save (and seems to mess up XMLRPC Sync).
It would be nice to have a way in the GUI to change the order but for now I only really need to know what file I can edit to change the default order that gets written. Does anyone know where I can change this?
Thanks!
-
for now I only really need to know what file I can edit to change the default order that gets written. Does anyone know where I can change this?
dansguardian_config.xml
change the order that I check the selected item.
dansguardian.inc code that check auth_plugin
$authplugin=(preg_match('/usr/',$dansguardian_config['auth_plugin'])?"authplugin = '".$dansguardian_config['auth_plugin']."'":""); if ($dansguardian_config['auth_plugin']!=""){ $auth_plugins=explode(",",$dansguardian_config['auth_plugin']); $authplugin=""; foreach ($auth_plugins as $auth_selected) if ($auth_selected != "none") $authplugin.="authplugin = '".preg_replace("@/usr/local@",DANSGUARDIAN_DIR,$auth_selected)."'\n"; }
-
That worked, or at least it switched the order in the conf file. According to this:
http://contentfilter.futuragts.com/wiki/doku.php?id=more_than_one_auth_method&DokuWiki=gvhxljbpcoxc (all the way at the bottom #3)
you may just want to change the default order to have IP always on top as it seems like it should always come before other auth methods when multiple auth methods are used.
I'm still messing with DG though, trying to get the multiple auths working the way I need. Isn't doing the IP auth first now for some reason… I'll keep trying.
-
marcelloc,
I guess the multiple auth not working for IP is a known issue:
http://sourceforge.net/p/dansguardian/patches/15/
There is a link on that page that points to a French site that says it is fixed in a later version:
http://numsys.eu/search.php?search=Dansguardian
Looks like it is up to 2.12.0.7? The package for pfsense shows 2.12.0.3, but I did download one of your binary fixes. When I run it with a -v, it shows 2.12.0.0… ??? Now I am confused, I thought your binary was newer.
Is there any plans to update the package to 2.12.0.7 or is it possible to get an updated binary that fixes this bug?
Thanks for all your great contributions!
-
Test with one of dansguardian versions from my repo. I've testing a lot of patches on dansguardian few months ago.
-
Test with one of dansguardian versions from my repo. I've testing a lot of patches on dansguardian few months ago.
I found this:
dansguardian 2013-Feb-08 02:07:07 970.9K
under http://e-sac.siteseguro.ws/pfsense/8/amd64/ but I think that is the one I've already downloaded. I looked around but didn't see any other binaries. Where are the binaries you were testing with?
-
e-sac.siteseguro.ws/packages
-
I used the latest file:
dansguardian-2.12.0.3_7.tbz 2013-Aug-20 14:47:20 536.4K
and multi-auth with IP is working. I'll watch for other issues and thanks!
-
For using dansgaurdian, you should add a port forward rule.
It's far better to add a feature for specifying dansguardian acls in firewall rules. (like traffic shaping policy) -
It looks like I found an issue. Once multiple people are pushing traffic through the filter, it will frequently (usually at least once a day, sometimes more) crash the system. I've attached a screen shot of the console when it happens and also one of top when it is happening. Sometimes I can log in and restart the DG service to fix it. Other times I can't even SSH in or get to the local console so I have to hard reboot it. Is this something you have seen? There seems to be a large number of DG processes running at the time. I'm not sure if that is normal or not.
Also I noticed that there is a 3.3.10 version available to update. What version of DG is that and what were the changes? I'm still running with the hacked in 2.12.0.3_7 binary for multi-auth to work.
-
When i use dansguardian with a port forward rule(http to 8080), it occasionally doesn't work and i need to restart daemon.
I think that pfsense developers should integrate it with firewall rules. therefore, a user can select content filter policy in it's access rule( like fortigate and other products). -
It looks like I found an issue. Once multiple people are pushing traffic through the filter, it will frequently (usually at least once a day, sometimes more) crash the system. I've attached a screen shot of the console when it happens and also one of top when it is happening. Sometimes I can log in and restart the DG service to fix it. Other times I can't even SSH in or get to the local console so I have to hard reboot it. Is this something you have seen? There seems to be a large number of DG processes running at the time. I'm not sure if that is normal or not.
Also I noticed that there is a 3.3.10 version available to update. What version of DG is that and what were the changes? I'm still running with the hacked in 2.12.0.3_7 binary for multi-auth to work.
I think I may have resolved this. It has gone several days now without a crash. On the web page for the updated binary they mentioned increasing some of the daemon settings. So here are the changes I made:
Min/Max Children: 8/8176
Min/Max Spare Children: 8/64
Prefork Children: 10
Max Age Children: 10000I think the max children may only work if you have this updated binary but that seems to have solved my crashing problems (in case anyone else runs into this).
-
I recently upgraded to pfSense 2.1 and am having trouble with the DansGuardian package.
I noticed that the "Denied Access" page was not rendering the correct html from the Report File text box under the Report and Log tab.
It appears the DansGuardian package 2.12.0.3 v.0.1.8 on my system is writing the Report File html to this location:
/usr/local/share/dansguardian/languages/ukenglish/template.htmlBut on pfSense 2.1, the DansGuardian package is using this location for the Access Denied html:
/usr/pbi/dansguardian-amd64/share/dansguardian/languages/ukenglish/template.htmlbryan.paradis recommended that I create a symlink to the file managed by the web gui:
https://forum.pfsense.org/index.php/topic,73058.msg398551.html#msg398551It seems to me that a reinstall of Dans Guardian will overwrite the symlink. I also have concerns that changes to my ACLs may not be working correctly, but I have not completed extensive testing yet.
Is this issue something you are already aware of, or could it be unique to my system? The system is a Netgate 7451 upgraded to 2.1-RELEASE (amd64) using the web interface for Firmware Update.
-
Hey marcelloc,
Looks like here you pass the dansguardian_dir to $dg_dir when creating dansguardianfx.conf.
#dansguardian.inc $dg_dir=DANSGUARDIAN_DIR; include("/usr/local/pkg/dansguardianfx.conf.template"); file_put_contents($dansguardian_dir."/dansguardianf".$count.".conf", $dgf, LOCK_EX);
#dansguardian.conf.template languagedir = '{$dg_dir}/share/dansguardian/languages' # language to use from languagedir. language = '{$reportlanguage}'
This will reference the pbi directory but in the php code below as you can see it isn't referencing the dansguardian_dir thus not referencing the pbi folder which is being set as the path in the conf file.
#log report if ($dansguardian_log['report_file']=="" && file_exists("/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html")){ $report_file=file_get_contents("/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html"); $report_file=preg_replace('/<.*(html|head)>/','',$report_file); $config['installedpackages']['dansguardianlog']['config'][0]['report_file']=base64_encode($report_file); $dansguardian_log['report_file']=base64_encode($report_file); $load_samples++;
And
#dansguardian.inc #Create report template if (is_dir("/usr/local/share/dansguardian/languages/".$reportlanguage)) file_put_contents("/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html",dg_text_area_decode($dansguardian_log['report_file']),LOCK_EX);
dansguardian_dir needs to be appended to the front of the paths
Lines 927-928
if (is_dir(DANSGUARDIAN_DIR."/usr/local/share/dansguardian/languages/".$reportlanguage)) file_put_contents(DANSGUARDIAN_DIR."/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html",dg_text_area_decode($dansguardian_log['report_file']),LOCK_EX);
Lines 694-695
#dansguardian.inc if ($dansguardian_log['report_file']=="" && file_exists(DANSGUARDIAN_DIR."/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html")){ $report_file=file_get_contents(DANSGUARDIAN_DIR."/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html");
Update: Nevermind looks like they are already symlinked on a fresh install I am not sure why sgirard had a problem in the first place :-X Though I suppose it could be cleaned up considering you are setting the path based on what pfversion is running already?
[2.1-RELEASE][root@pfsense.localdomain]/usr/local/share/dansguardian/languages/ukenglish(15): ls -la total 3 drwxr-xr-x 2 root wheel 512 Feb 25 06:45 . drwxr-xr-x 29 root wheel 1024 Feb 25 06:45 .. lrwxr-xr-x 1 root wheel 87 Feb 25 06:45 fancydmtemplate.html -> /usr/pbi/dansguardian-amd64/share/dansguardian/languages/ukenglish/fancydmtemplate.html lrwxr-xr-x 1 root wheel 75 Feb 25 06:45 messages -> /usr/pbi/dansguardian-amd64/share/dansguardian/languages/ukenglish/messages lrwxr-xr-x 1 root wheel 80 Feb 25 06:45 template.html -> /usr/pbi/dansguardian-amd64/share/dansguardian/languages/ukenglish/template.html
-
Hi there.
Is there any way to put timeframe in DG?
I need to block access for certain users to certain sites. For example, users in DG group "office" are not allowed to access social nets and web-videos at working hours. Outside working hours they can.
Can I do that in DG itself or need to use FW rules or Squidguard along with it?
Thanks.
-
https://forum.pfsense.org/index.php?topic=67066.0
-
Hola Marcelo!
Just saw that there is a new version on DG for download in the package manager. Can you please provide a changelog? Has the missing CLAMAV issue been corrected in this new package?
Thanks!
F.