Dansguardian package for 2.0
-
Thank you for developers creating this magnificent add on package for pfsense. This is a feature I missed since I migrated from clearos to pfsense :)
However, I have a little problem. I managed to get it working but I can't get the antivirus scanner to work. When the content scanner enabled (select clamdscan) on the general tab I get access denied page of "WARNING: Could not perform content scan!" when I try to open a webpage.
I also saw this on the dansguardian access log:
2012.2.20 16:17:21 - *.*.*.* http:///***** *SCANNED* *DENIED* Error connecting to ClamD socket GET 149 0 Content scanning 1 403 - Default - -I'm not sure how to fix the problem since there are clamd daemon when I view the system process
root 63856 0.0 14.3 231316 220988 ?? Is Fri09PM 25:43.08 /usr/local/sbin/clamd -c /usr/local/etc/clamd.confIf the av scanner turned off, all other filtering is working fine.
-
Do you have other packages running on this pfsense?
I get this error only few seconds after a service restart during config apply.
-
I do have HVAP and squidguard installed, but not running. Is this the cause? I'm going to try to remove them now
-
You may need to remove havp.
Dansguardian package uses the same user applied to clamav conf but I did not tested with havp installed.
-
You may need to remove havp.
Dansguardian package uses the same user applied to clamav conf but I did not tested with havp installed.
I've removed havp, reinstall dansguardian but no luck. Finally I managed to get it working though. I need to modify /usr/local/etc/dansguardian/contentscanners/clamdscan.conf file on the UNIX domain socket thing to match with the value located in /usr/local/etc/clamd.conf
Not sure why the value is different, maybe havp changed it?
-
Try remove dansguardian and look exists packages from console - pkg_info
If any clam package exist, you must delete it's manually - pkg_delete full_pkg_nameCan exist clam AV from havp pkg.
Then install dansguardian new.
-
Not sure why the value is different, maybe havp changed it?
Maybe. Try uninstalling clamav after havp just like dvserg told you.
If I have some time this week I'll try to check havp clamav config and make dansguardian compatible to it.
-
I've had this same problem never was able to get it to work. I think the issue occurs when postfix is installed allong with dansguardian.
-
Hi mschiek01,
Postfix and dansguardian with clamav can work together, this setup I've tested sucessfully.
Can you post your pfsense version?
Did you tried a full clamav uninstall as described on previous post?
This way I can simulate the problem. -
2.0.1-RELEASE (i386)
I did try full uninstall no luck. I need to take a look and see if havp and all its components were removed on the deinstall.
-
Hi mschiek01,
Postfix and dansguardian with clamav can work together, this setup I've tested sucessfully.
Can you post your pfsense version?
Did you tried a full clamav uninstall as described on previous post?
This way I can simulate the problem.I did get it to work. Here is what I did:
Uninstall, postfix, dansguardian & mailscanner
reinstall HAVP
uninstall HAVP & deleted havp user
reinstall postfix, mailscanner, dansguardian
Trying to just pkg_delete the clamv packages was showing errors concerning the packaged deletion.Stopped working again with "error connecting to clam d socket"
-
The way I did:
Clean install
Postfix
Mailscanner
DansguardianI'll do it again this week to test.
-
still have a lot more testing with SSL man-in-middle but when I try to access https sites, i'm getting the danguardian denied page "Certificate supplied by server was not valid"
still have to check logs and read the docs from danguardian site on this feature.
-
I'm on the same point.
I did not found anything usefull on internet.
This is a most wanted experimental and non documented feature ever. :(
-
Hi mschiek01,
Postfix and dansguardian with clamav can work together, this setup I've tested sucessfully.
Can you post your pfsense version?
Did you tried a full clamav uninstall as described on previous post?
This way I can simulate the problem.I did get it to work. Here is what I did:
Uninstall, postfix, dansguardian & mailscanner
reinstall HAVP
uninstall HAVP & deleted havp user
reinstall postfix, mailscanner, dansguardian
Trying to just pkg_delete the clamv packages was showing errors concerning the packaged deletion.Stopped working again with "error connecting to clam d socket"
check the config file make sure it points to the right clamd socket. In this case on mine the on the /usr/local/etc/clamd.conf clamd socket is located on /var/run/clamd.sock
So I edited the /usr/local/etc/dansguardian/contentscanners/clamdscan.conf to make sure it points to the right location: In mine I change it to:
# edit this to match the location of your ClamD UNIX domain socket clamdudsfile = '/var/run/clamd.sock'Now the dansguardian + av content scanner is working great! I've test it to download eicar test file signature and it detects the signature.
However, I have additional question. I've set the proxy server to dansguardian port in the browser config file on http, ftp and https. But it seems dansguardian does not scan https protocol. Is that normal?
-
It will scan https url and domains only until whe find a way to create "valid" men-on-the-middle certs.
The point is That dansguardian 2.12 is the first release with full ssl filtering support But it is on experimental stage and not documented at all. We could compile it with ssl and also patched dansguardian-devel ports to help bsd users to get it working.If you want to test or reach the same point we(cino and me) are, go on system cert manager, create a CA certificate and a server certificate using this ca. On dansguardian, apply these certificares on second tab and finally enable ssl filtering option on groups tab.
-
Are there any issues getting this to work with a carp interface. Works fine with LAN but trying to get it working with CARP.
-
listen dansguardian on loopback and create a nat rule from your virtual ip to 127.0.0.1
-
It will scan https url and domains only until whe find a way to create "valid" men-on-the-middle certs.
The point is That dansguardian 2.12 is the first release with full ssl filtering support But it is on experimental stage and not documented at all. We could compile it with ssl and also patched dansguardian-devel ports to help bsd users to get it working.If you want to test or reach the same point we(cino and me) are, go on system cert manager, create a CA certificate and a server certificate using this ca. On dansguardian, apply these certificares on second tab and finally enable ssl filtering option on groups tab.
I have same problem with Cino mentioned when using SSL filtering, the dansguardian itself reject/block the site since the certificate is not valid. I thought the client's browser will warns the user about invalid certificates (I've used astaro gateway before) then the user can choose to continue. Maybe since this very experimental stage it does not work well yet.
On another note, a little bit out of topic. I've used proxy.pac and wpad.dat to autoconfigure the proxy settings on the client computers. I put proxy.pac, wpad.dat and wpad.da on local webserver on the network and assign wpad dns name to that particular webserver. This is working fine for most of the computers, most computers connect though the proxy automatically.
However it seems not all client using the proxy settings so when I block outgoing port 80 some client just can't connect to the internet. I've checked the settings and I'm sure all settings is the same (Auto detect settings are ticked). So I did NAT to redirect outgoing port 80 from the internal network to the dansguardian port and its working fine and making sure all clients browse thru the filter.
But with this method I have little trouble bypassing the filter for some host. On the pfsense squid configuration menu it has the option to enable transparent proxy and select exception list of IP are permitted to bypassing the proxy. I'm not sure how to do it on using NAT rule.
EDIT: one more thing. If using wpad/proxy.pac config it will bypass captive portal. Users can browse the internet but can't check emails on outlook since the ports are blocked by the captive portal, cannot login to captive portal too since it nevers shows the login page. If I did not use proxy/wpad thing (connect directly and use port redirection (transparent) the captive portal is working properly). I guess this is the drawback using wpad/proxy auto config.
-
Hi mschiek01,
Postfix and dansguardian with clamav can work together, this setup I've tested sucessfully.
Can you post your pfsense version?
Did you tried a full clamav uninstall as described on previous post?
This way I can simulate the problem.I did get it to work. Here is what I did:
Uninstall, postfix, dansguardian & mailscanner
reinstall HAVP
uninstall HAVP & deleted havp user
reinstall postfix, mailscanner, dansguardian
Trying to just pkg_delete the clamv packages was showing errors concerning the packaged deletion.Stopped working again with "error connecting to clam d socket"
check the config file make sure it points to the right clamd socket. In this case on mine the on the /usr/local/etc/clamd.conf clamd socket is located on /var/run/clamd.sock
So I edited the /usr/local/etc/dansguardian/contentscanners/clamdscan.conf to make sure it points to the right location: In mine I change it to:
# edit this to match the location of your ClamD UNIX domain socket clamdudsfile = '/var/run/clamd.sock'Thanks my configuration was the same. I made the change and it is working now.
Now the dansguardian + av content scanner is working great! I've test it to download eicar test file signature and it detects the signature.
However, I have additional question. I've set the proxy server to dansguardian port in the browser config file on http, ftp and https. But it seems dansguardian does not scan https protocol. Is that normal?
