Dansguardian package for 2.0

danisam

Hello,

Thanks a lot for this great package.
I was trying it yesterday and i saw maybe a problem with Pfsense 2.0.1 Release. Nano BSD with CF 4G and Soekris 5001-70
a have 2 WANs , WAN1 with Static IP and WAN2 with PPPOE, with Failover. All this configuration was working great.
I install the Dansguardian package and the failover still working great , but after i reboot the soekris, my PPOE connection didn't came back, and i saw in the PPP Logs that the PPP was waiting for one process to die. I also saw in the systems logs some Dansguardian privileges errors.
i was fighting 1 hour and try to reboot again and still the same, but after i deinstall the Dansguardian package and reboot again the pppoe connect very quick.
it' s maybe a coincidence but i will know if somebody had the same problem.
I could make some test for you if you need it.
Thanks for your help.
regards

marcelloc

On my system(not nanobsd), dansguardian take 01 minute to start at but I get no permission erros.

Can you send these permission errors?

tesna

Thank you for developers creating this magnificent add on package for pfsense. This is a feature I missed since I migrated from clearos to pfsense :)

However, I have a little problem. I managed to get it working but I can't get the antivirus scanner to work. When the content scanner enabled (select clamdscan) on the general tab I get access denied page of "WARNING: Could not perform content scan!" when I try to open a webpage.

I also saw this on the dansguardian access log:

2012.2.20 16:17:21 - *.*.*.* http:///***** *SCANNED* *DENIED* Error connecting to ClamD socket GET 149 0 Content scanning 1 403 -  Default  - -

I'm not sure how to fix the problem since there are clamd daemon when I view the system process

root   63856  0.0 14.3 231316 220988  ??  Is   Fri09PM  25:43.08 /usr/local/sbin/clamd -c /usr/local/etc/clamd.conf

If the av scanner turned off, all other filtering is working fine.

marcelloc

Do you have other packages running on this pfsense?

I get this error only few seconds after a service restart during config apply.

tesna

I do have HVAP and squidguard installed, but not running. Is this the cause? I'm going to try to remove them now

marcelloc

You may need to remove havp.

Dansguardian package uses the same user applied to clamav conf but I did not tested with havp installed.

tesna

@marcelloc:

You may need to remove havp.

Dansguardian package uses the same user applied to clamav conf but I did not tested with havp installed.

I've removed havp, reinstall dansguardian but no luck. Finally I managed to get it working though. I need to modify /usr/local/etc/dansguardian/contentscanners/clamdscan.conf file on the UNIX domain socket thing to match with the value located in /usr/local/etc/clamd.conf

Not sure why the value is different, maybe havp changed it?

dvserg

Try remove dansguardian and look exists packages from console - pkg_info
If any clam package exist, you must delete it's manually - pkg_delete full_pkg_name

Can exist clam AV from havp pkg.

Then install dansguardian new.

marcelloc

Not sure why the value is different, maybe havp changed it?

Maybe. Try uninstalling clamav after havp just like dvserg told you.

If I have some time this week I'll try to check havp clamav config and make dansguardian compatible to it.

mschiek01

I've had this same problem never was able to get it to work.  I think the issue occurs when postfix is installed allong with dansguardian.

marcelloc

Hi mschiek01,

Postfix and dansguardian with clamav can work together, this setup I've tested sucessfully.

Can you post your pfsense version?
Did you tried a full clamav uninstall as described on previous post?
This way I can simulate the problem.

mschiek01

2.0.1-RELEASE (i386)

I did try full uninstall no luck.  I need to take a look and see if havp and all its components were removed on the deinstall.

mschiek01

@marcelloc:

Hi mschiek01,

Postfix and dansguardian with clamav can work together, this setup I've tested sucessfully.

Can you post your pfsense version?
Did you tried a full clamav uninstall as described on previous post?
This way I can simulate the problem.

I did get it to work.  Here is what I did:
Uninstall, postfix, dansguardian & mailscanner
reinstall HAVP
uninstall HAVP & deleted havp user
reinstall postfix, mailscanner, dansguardian
Trying to just pkg_delete the clamv packages was showing errors concerning the packaged deletion.

Stopped working again with "error connecting to clam d socket"

marcelloc

The way I did:

Clean install
Postfix
Mailscanner
Dansguardian

I'll do it again this week to test.

Cino

still have a lot more testing with SSL man-in-middle but when I try to access https sites, i'm getting the danguardian denied page "Certificate supplied by server was not valid"

still have to check logs and read the docs from danguardian site on this feature.

marcelloc

I'm on the same point.

I did not found anything usefull on internet.

This is a most wanted experimental and non documented feature ever. :(

tesna

@mschiek01:

@marcelloc:

Hi mschiek01,

Postfix and dansguardian with clamav can work together, this setup I've tested sucessfully.

Can you post your pfsense version?
Did you tried a full clamav uninstall as described on previous post?
This way I can simulate the problem.

I did get it to work.  Here is what I did:
Uninstall, postfix, dansguardian & mailscanner
reinstall HAVP
uninstall HAVP & deleted havp user
reinstall postfix, mailscanner, dansguardian
Trying to just pkg_delete the clamv packages was showing errors concerning the packaged deletion.

Stopped working again with "error connecting to clam d socket"

check the config file make sure it points to the right clamd socket. In this case on mine the on the /usr/local/etc/clamd.conf clamd socket is located on /var/run/clamd.sock

So I edited the /usr/local/etc/dansguardian/contentscanners/clamdscan.conf to make sure it points to the right location: In mine I change it to:

# edit this to match the location of your ClamD UNIX domain socket
clamdudsfile = '/var/run/clamd.sock'

Now the dansguardian + av content scanner is working great! I've test it to download eicar test file signature and it detects the signature.

However, I have additional question. I've set the proxy server to dansguardian port in the browser config file on http, ftp and https. But it seems dansguardian does not scan https protocol. Is that normal?

marcelloc

It will scan https url and domains only until whe find a way to create "valid" men-on-the-middle certs.
The point is That dansguardian 2.12 is the first release with full ssl filtering support But it is on experimental stage and not documented at all. We could compile it with ssl and also patched dansguardian-devel ports to help bsd users to get it working.

If you want to test or reach the same point we(cino and me) are, go on system cert manager, create a CA certificate and a server certificate using this ca. On dansguardian, apply these certificares on second tab and finally enable ssl filtering option on groups tab.

svtlightning

Are there any issues getting this to work with a carp interface. Works fine with LAN but trying to get it working with CARP.

marcelloc

listen dansguardian on loopback and create a nat rule from your virtual ip to 127.0.0.1