Installing the Dansguardian package in PFSense - One user's experience



  • I've called this a "user's experience" rather than a how-to because your mileage may vary if you follow in my foot steps. My requirement is what I already have from Smoothwall: A content filtering system, for use at home, to flag and block when a page is probably inappropriate content. The reason I want to change is that I believe PFsense is a better firewall but before Marcello built this excellent package I was missing content filtering.

    Basic Install

    Firstly install PFSense and ensure that it is working. You should have internet access but no filtering. Don't install any packages before you install Dansguardian, they may work but it's not what I did. In my set up I have a WAN interface pointing at the ISP and a LAN interface with the IP address 10.0.2.1

    In the web interface go to: System>Packages>Available Packages and select Dansguardian
    Click on the install button and wait for the installation to complete (It takes a fair amount of time so be patient)

    Setup

    Go to: Services>Dansguardian
    Click on Enable Dansguardian
    Listen interface - LAN
    Listen Port - 8080
    Proxy IP - 10.0.2.1 (My PFSense box)
    Proxy Port - 3128

    Go to the bottom and click Save

    Check that DG is running Status>Services

    At this point I found there was nothing listening on port 3128 (sockstat -4l) which I didn't expect because I thought the package installed Squid so either I missed something or I was just wrong, either way, I decided I'd install squid from the package.

    In the web interface go to: System>Packages>Available Packages and select Squid
    Squid configuration (optional)
    Visible host name - "your host name"
    save

    Now there is a squid server listening on 3128
    Go back to Services>Dansguardian and click save in order to recycle DG

    Testing the set up

    Set up your web browser to use Dansguardian and Squid. For Firefox proceed as follows:

    Tools>Options
    Network Tab>Settings>Manual Proxy configuration

    HTTP Proxy - 10.0.2.1 (IP of your dansguardian/PFsense machine)
    Port - 8080

    Tick - Use this proxy for all protocols

    Now try to access both a good site and a bad site:

    google.com - Good
    tits.com - Bad (or any other bad site)

    If you can access the good but not the bad everything is working as expected.

    Now I want to add a transparent proxy. I believe that the package author prefers to use WPAD/PAC/auto configuration with dns+dhcp as opposed to a transparent proxy. I agree that it's better for a professional set up in a company but for me I just want to stop my daughters from inadvertently finding the wrong things on the net when browsing at home. In this use case I find the transparent proxy mush easier.

    There is a tick box in the squid configuration page that is marked "Transparent Proxy" and promises to redirect everything automagically for you, it doesn't work for a DG set up in my experience.

    Add a rule to forward the browsing requests to Dansguardian (thanks to Zgruk for this since I copied it from his post):

    Firewall>NAT
    Port Forward tab click the + button
    Interface: LAN
    Protocol: TCP
    Source: LAN subnet
    Destination: any
    Destination Port: HTTP to HTTP
    Redirect IP: <the ip="" of="" your="" pfsense="" box="">(10.0.2.1 in my case)
    Redirect Target Port: 8080

    Click Save and then Apply Changes

    Then retry your good and bad test after resetting the web browsers proxy to No proxy and you should get the same results.
    There are two other steps you can optionally choose, firstly to block direct access to Squid and hence bypassing DG altogether and secondly to do the same forwarding for HTTPS, the rules are detailed by Zgruk in this post

    I haven't done either of these since for my use case it isn't required.

    Further configuration

    With the base system working I continued to modify some other options. Obviously these are for my own use case and may not be appropriate for your use case.

    Naughtiness limit - By default the limit is set very low and since my daughters are teenagers I needed to increase it to a more appropriate limit.
    Service>Dansguardian>Groups - Click Edit - Scroll to naughtiness limit and set as appropriate

    Mime & Extension types - I find that despite the security risk from embedded virus teenagers like to download mpeg etc.
    Service>Dansguardian>Access Lists - Click Edit -  Comment out with # the ones you don't want active as appropriate

    URL exception list - Occasionally DG will block perfectly legitimate sites so I have a set of exceptions to allow the odd filtering mistake.  
    Service>Dansguardian>Access Lists>Site - Click Edit

    That's about it. If I've got things wrong or could have done them in a better way then do let me know. If this short write up helps anyone then it was worth the effort.</the>



  • Thanks Chewy,

    I too have been wanting to use pfSense, but held back due to a lack of content filtering.  Thanks for your installation summary.  I'll give it a try now.

    Also, many thanks to marcelloc for his work in creating the package.



  • Chewy,

    Thanks for your mini howto and experiencie feedback  :)

    I'm involved on a lot of packages now but if I have some time in the future, I'll try to include transparente mode with a BIG security warning  ;)

    att,

    Marcello Coutinho



  • Couple of issues that some people may have. By the way this is a great easy to follow Dans setup, thanks!

    #1 When I installed squid my Proxy interface in squid was at "loopback", I changed that to LAN an things are fine now.
    #2 Just a note if you use the firewall to redirect port 80 to 8080. Make sure that your firewall rule that was created by the portforward, is located above your "LAN-any" rule so that it gets executed properly.



  • I did get the Dansguardian to work if I manually set the proxy, but I've added the rules to FW without any luck.
    I've put the rule
    Proto: TCP
    Source: LAN net
    Port: *
    Destination: 192.168.1.1
    Port: 8080
    above the lan-any rule, so it should work but it does not?
    How to solve?
    I can provide screenshots if asked.



  • Your nat is not correct, pay attention on nat description from the first post and apply on your config.



  • @marcelloc:

    Your nat is not correct, pay attention on nat description from the first post and apply on your config.

    I've done that,
    First is NAT

    Edit: I totally forgot that I'm connecting via VPN on my client, my bad.
    Thanks for a great "user experience"



  • I've only just had a chance to come back to see if there were any replies and this is a pleasant surprise. I'm delighted it's helped people.



  • thanks guys this really helped me out alot.

    I have a question, what if I want to add in squidguard to control access at times of day.  Say 9am til 5pm only, on certain machines with a certain IP address.

    Had a bit of a try and I seem to be able to get on the net anytime with the config I tried.

    Anyone tried this??

    Thanks
    Chris



  • You mean dansguardian,squid and squidguard? ???



  • Yeah, can you not use squidguard as well?

    Or can I just put some settings into danguardian to control time of day access?

    Thanks

    (by the way marcelloc, good work!!)



  • I'm going to make a suggestion Chris but I've not tried this solution, it's speculative, so feel free to shoot me down if I missed something.

    Firewall>Schedule is possibly what you're looking for to solve the problem. If you only want content filtering between 9 - 5 then apply the schedule to the redirect rule such that DG and Squid are bypassed outside of the access hours. If you don't want any access at all outside of those hours then you can construct a rule that blocks certain IP and is only activate outside of those hours.

    Hope that helps



  • aagghhh,

    genius.  Why did I not think of that.  So simple really, it passed me by….

    Thanks a lot Chewy



  • Update - I don't seem to be able to edit the original post which I can see makes some sense for integrity reasons so I'll add some updates here (these aren't necessarily requests for change just observations for fellow travellers).

    Refreshing Dansguardian when changes have been made seems to be a bit hit or miss. The only entirely reliable method I've found is that suggested by Zgruk from the command line issue "dansguardian -Q". The "save" buttons work sometimes but not others which I suspect is entirely to do with DG and not the packaging.

    Rebooting the PFsense box caused me some odd problems. DG started before Squid and doesn't seem to keep trying to establish a socket with Squid, hence, any requests to DG fell into a black hole including the access to PFsense to fix the problem. Because of my (insecure) set up I could manually direct the browser at Squid to access PFsense, refresh DG using a simple save and that seemed to establish the socket between DG and Squid giving me back normal access.

    If you're not as insecure as me (and I don't recommend it for any professional set up) then the way to get back access would be to use the command line refresh I mentioned above.

    There may be a way to force squid to come up before DG I'm not sure. I'm more of a Linux man than BSD and despite their shared heritage they're different enough for me to have to research that change. If there's anyone out there who can supply the answer I'd be really grateful.



  • Rebooting the PFsense box caused me some odd problems. DG started before Squid and doesn't seem to keep trying to establish a socket with Squid

    Exactly the same issue here too.
    I normally have to cycle the DG service after bootup.

    Not sure quite what's happening here.



  • @chris23:

    Rebooting the PFsense box caused me some odd problems. DG started before Squid and doesn't seem to keep trying to establish a socket with Squid

    Exactly the same issue here too.
    I normally have to cycle the DG service after bootup.

    Not sure quite what's happening here.

    Can you check these steps posted on dansguardian topic at packages?
    http://forum.pfsense.org/index.php/topic,43786.msg253812.html#msg253812



  • Checked the thread and this appears to be the same problem as reported by Cino :

    I think the problem I have, dansguardian is starting before squid.

    We've had a long weekend in the UK so I did some checking into how the start up tasks are set in BSD. Forgive me if I'm telling you things you already know but it seems BSD uses directives (e.g #PROVIDES) within the start up jobs to create a dependency order. The directives show what a daemon provides and requires, which in turn are used by rcorder to order the job starts.

    Marcello uses the directives in the Dansguardian start up job but squid doesn't use them which results in a random start order at best. The way to fix this would be to use the native BSD system consistently but it seems that historically this hasn't been done. I can imagine a work around which alters the "squid.inc" file to copy a template start up script in the same way that Marcello does it and in this squid template include the standard directives hence dictating the start up sequence.

    The other idea I had was to check for squid.sh in /usr/local/etc/rc.d and if it exists start it in the Dansguardian script. Something like this before the code to start DG:

    
    if [-e /usr/local/etc/rc.d/squid.sh];
    then
         /usr/local/etc/rc.d/squid.sh
         echo "#! /bin/sh" > /usr/local/etc/rc.d/squid.sh
    fi
    
    

    As I mentioned previously, I'm no expert with BSD so if I've got this wrong please do correct me (as much for my education as others).



  • Thanks Chewy, I'll do some tests and feedback.



  • yeah, the message I get on reboot is:

    Dansguardian no process found
    Dansguardian no process found
    Dansguardian no process found

    I just start or restart it once boot is complete and all is OK.
    No biggee, but slightly annoying.

    Thanks and wouldn't be without it….



  • I've tested it today on a clean install and dansguardian did worked after reboot.

    It still takes 1minute to start but it works.  ???



  • Curious to me that it worked for you… I had the same problem - DG wasn't working because it started before Squid. I couldn't figure out how the package manager controlled the order of startup scripts, so I did a little hack. I simply created another startup script called z_fixstartup.sh and placed it in /usr/local/etc/rc.d. Contents of the script is...

    #!/bin/sh

    This file was automatically generated

    by the pfSense service handler.

    rc_start() {
    /usr/local/sbin/dansguardian -Q
    }

    rc_stop() {
    }

    case $1 in
    start)
    rc_start
    ;;
    stop)
    rc_stop
    ;;
    restart)
    rc_stop
    rc_start
    ;;
    esac

    I had another small issue that someone else might want to be aware of. If you create a NAT rule to autoforward port 80 traffic, this somehow breaks XBox downloads. I had to exclude the IP address of the XBox in the forwarding rule.



  • RJ - Nice fix I'm going to try that one. What I still don't understand though is, as you say, how does the package manager control the start up order ? Is there no consideration to the order designed in to the mechanism ?

    Marcello - I don't get it and I'm wonder if it's somehow random ? Does DG sometimes start after Squid or does it sometimes retry the connection, I have no idea, but it's very frustrating particularly when we can't reliably recreate the problem. Your comment about the time taken makes me wonder if I wait longer would the connection between DG and Squid eventually start ?



  • @Chewy:

    I don't get it and I'm wonder if it's somehow random ? Does DG sometimes start after Squid or does it sometimes retry the connection, I have no idea, but it's very frustrating particularly when we can't reliably recreate the problem. Your comment about the time taken makes me wonder if I wait longer would the connection between DG and Squid eventually start ?

    If you check boot-up process, you will see dansguardian taking about a minute to startup. Did you tried to wait boot process finish before trying to connect to dansguardian?



  • I'll move the startup script somewhere else and try it again… but I'm fairly certain that it was never coming up - or at least not consistently.

    This one might be a little off topic, but let me throw out another "feature" idea from something that I originally had working on my IPCop box. I had IPCop running with DG/Squid by using the copplus addon. In addition, found a script that got me started and then made some changes to implement a "Dansguardian Bypass" that would allow you to enter a password and bypass filtering for a time period. It's nice because sometimes DG is overly aggressive in filtering. I don't remember where I got the setup script, but on IPCop it was doing perl CGI to a web server on port 81. It also looks like someone did the same thing with PHP on ClearOS (see http://honestpchelp.com/2011/clearos-dansguardian-accessdenied-php-bypass-script/).

    I'm going to play around trying to get it to work on PFSense. However, the forum instructions I found for setting up a web server required installing a couple packages and mysql (see http://forum.pfsense.org/index.php/topic,47086.msg247364.html#msg247364)… it just seemed a little excessive to me since there's already a web server running for the web interface. Is there an easy way to get a web server instance that supports perl CGI or PHP on another port? Or... better yet, has anyone already implemented the bypass feature?



  • @rjcrowder:

    This one might be a little off topic, but let me throw out another "feature" idea from something that I originally had working on my IPCop box. I had IPCop running with DG/Squid by using the copplus addon. In addition, found a script that got me started and then made some changes to implement a "Dansguardian Bypass" that would allow you to enter a password and bypass filtering for a time period. It's nice because sometimes DG is overly aggressive in filtering. I don't remember where I got the setup script, but on IPCop it was doing perl CGI to a web server on port 81. It also looks like someone did the same thing with PHP on ClearOS (see http://honestpchelp.com/2011/clearos-dansguardian-accessdenied-php-bypass-script/).

    It's a dansguardian feature, but I did not included on gui. check dansguardian.conf to see the secret.

    @rjcrowder:

    I'm going to play around trying to get it to work on PFSense. However, the forum instructions I found for setting up a web server required installing a couple packages and mysql (see http://forum.pfsense.org/index.php/topic,47086.msg247364.html#msg247364)… it just seemed a little excessive to me since there's already a web server running for the web interface. Is there an easy way to get a web server instance that supports perl CGI or PHP on another port? Or... better yet, has anyone already implemented the bypass feature?

    I'll test it this week.



  • Or… better yet, has anyone already implemented the bypass feature?

    I'm in the same position having come from Smoothwall where I had this feature working. Exactly as you say, DG can be a little harsh at times so I simply implemented the "Bypass Button" which gave access for 10 minutes and then reset. Mine wasn't as sophisticated as a userid and password since my filtering is only to provide a warning almost, I'm not really trying to ban my daughters from anything on the net, I'm just trying to stop them accessing stuff accidentally that they probably don't want (and of course remove adverts and such).

    But anyway, I'm rambling on, if you do get that feature working I'd be really interested in how you've done it for this implementation with PFsense.



  • Dansguardian override works like a champ… Here is what I did.

    1. Installed the vhosts package.
    I had one minor issue with this. The service status page doesn't seem to correctly display the fact that it is running. I found a workaround on the forums to fix it http://forum.pfsense.org/index.php/topic,33804.0.html.

    2. Followed the instructions for setting up the override page from here http://honestpchelp.com/2011/clearos-dansguardian-accessdenied-php-bypass-script/.
    This was pretty straight forward, I just had to change the directories to be appropriate to the light http web server. For example, I put the accessdenied.php file in the directory /usr/local/vhosts/vhost01.local/. Of course, I also had to change the URL's to be appropriate to my box and port. I put the password text file in /var/etc/.



  • On a related note… It did not work when I tried booting without the script to restart dansguardian at the end of the bootup. Without the script it appears that dansguardian starts up, squid starts after and then dansg eventually shuts down.



  • I could not reproduce this issue but I'll include on dansguardian gui an option to force squid startup before dansguardian.



  • @marcelloc:

    @rjcrowder:

    This one might be a little off topic, but let me throw out another "feature" idea from something that I originally had working on my IPCop box. I had IPCop running with DG/Squid by using the copplus addon. In addition, found a script that got me started and then made some changes to implement a "Dansguardian Bypass" that would allow you to enter a password and bypass filtering for a time period. It's nice because sometimes DG is overly aggressive in filtering. I don't remember where I got the setup script, but on IPCop it was doing perl CGI to a web server on port 81. It also looks like someone did the same thing with PHP on ClearOS (see http://honestpchelp.com/2011/clearos-dansguardian-accessdenied-php-bypass-script/).

    It's a dansguardian feature, but I did not included on gui. check dansguardian.conf to see the secret.

    @rjcrowder:

    I'm going to play around trying to get it to work on PFSense. However, the forum instructions I found for setting up a web server required installing a couple packages and mysql (see http://forum.pfsense.org/index.php/topic,47086.msg247364.html#msg247364)… it just seemed a little excessive to me since there's already a web server running for the web interface. Is there an easy way to get a web server instance that supports perl CGI or PHP on another port? Or... better yet, has anyone already implemented the bypass feature?

    I'll test it this week.

    It appears that there is no way to get the GUI to not overwrite my changes when the config is saved (for the access denied php page that I put in place)… Would it be possible to add an option to the GUI so that you can specify a URL for the access denied page rather than having the user supply the HTML page content?



  • Would it be possible to add an option to the GUI so that you can specify a URL for the access denied page rather than having the user supply the HTML page content?

    vote +1

    or even better, for me at least, the option to either specify the content or an override URL ?



  • @Chewy:

    or even better, for me at least, the option to either specify the content or an override URL ?

    The way to specify the content isn't already there?  ???



  • The way to specify the content isn't already there?

    Yes, it is there but RJCrowder is suggesting specifying a URL instead (or that's how I read it)

    Would it be possible to add an option to the GUI so that you can specify a URL for the access denied page rather than having the user supply the HTML page content?

    I'm merely asking to have both which could be achieved quite easily by allowing the reporting level and a redirect URL to be exposed through the GUI. Dansguardian will use the local HTML when the reporting level is 3 and the redirect URL when it is at levels 1 or 2.



  • Think I may have tracked down why Dans doesn't start properly on bootup (on my setup)
    I get this error:
    php: : The command '/usr/local/sbin/squid -k reconfigure' returned exit code '1', the output was '2012/04/25 10:17:58| WARNING: '192.168.0.0/255.255.255.0' is a subnetwork of '192.168.0.0/255.255.255.0' 2012/04/25 10:17:58| WARNING: because of this '192.168.0.0/255.255.255.0' is ignored to keep splay tree searching predictable 2012/04/25 10:17:58| WARNING: You should probably remove '192.168.0.0/255.255.255.0' from the ACL named 'localnet' squid: ERROR: No running copy'

    On my squid setup I have chosen to select LAN + loopback, so that the children go through the 8080 dans proxy and my machine uses 3128 (for caching purposes)
    Is it possible that this is causing the error and not allowing dans to start automatically.

    Still starts when I go in and press start.
    Or am I just completely barking up the wrong tree….  ::)
    Thanks
    Chris



  • Just another quick note on something that needs to be done… it appears that DG log rotation is not setup. You can enable the "logrotation" script in /usr/local/share/dansguardian/scripts/. To get it working, do the following.

    1. Edit /usr/local/share/dansguardian/scripts/logrotation and change
      LOG_DIR=/var/log/ to
      LOG_DIR=/var/log/dansguardian
    2. Make the file executable
      chmod +x /usr/local/share/dansguardian/scripts/logrotation
    3. Add it to your list of scheduled tasks in cron so that it executes once a week. To do so, I installed the "cron" package and added an entry as follows (executes at 2:30am on Saturday):
    30 2 sat root /usr/local/share/dansguardian/scripts/logrotation

    Hope this helps...



  • @rjcrowder:

    Just another quick note on something that needs to be done… it appears that DG log rotation is not setup. You can enable the "logrotation" script in /usr/local/share/dansguardian/scripts/.

    Thanks for these steps, I'll take a look and implement when time permits.



  • I've just pushed some fixes do improve dansguardian boot process and checks.

    On my tests, dansguardian startup time during boot process reduced to 20 seconds.

    Wait 15 minutes, reinstall the package, apply config and reboot.



  • Firstly - Thanks Marcello that's excellent news. Can I just clarify that where you say "apply config and reboot" do you mean manually apply the config or restore from a saved xml config ? Would that work ? (Just saves me some time if it does).

    Secondly and totally unconnected here's a strange one for Netflix users.

    I recently re-installed my windows system onto a new SSD and subsequently my Netflix gave a Silverlight N8152 DRM error when starting. I tried every suggested fix I could find for what is apparently a fairly common error all to no avail. The solution I found that worked for me was to disable the Dansguardian redirect rule, start Netflix, watch a moment of some content then stop Netflix and re-enable the redirect rule for DG, no more DRM N8152 Silverlight problem…..

    I have no idea why, but it worked for me.



  • @Chewy:

    Firstly - Thanks Marcello that's excellent news. Can I just clarify that where you say "apply config and reboot" do you mean manually apply the config or restore from a saved xml config ? Would that work ? (Just saves me some time if it does).

    Reinstall the package, go on dansguardian gui, manually apply the config. If you whant to test boot process, reboot after apply config.



  • Hello All

    Many thanks to the author of the Dansguardian-Package. This is a very usefull function added to pfSense.

    I found a what appears to be a bug in the handling of the Dansguardian Package configuration on pfSense 2.

    Setup:
    pfSense 2.0.1-release
    Dansguardian Package (2.12.0.0 pkg; v.0.1.5.3)
    squid Package (2.7.9 pkg v.4.3.1)

    The Problem:
    If I set on the configuration page of Dansguardian (>Services>Dansguardian>Daemon) the Proxi-IP to 127.0.0.1 and leave the value for the Proxy-Port empty (for the default) in the config file of Dansguardian (/usr/local/etc/dansguardian/dansguardian.conf) the value 127.0.0.1 will be written for the proxy-port entry (proxyport = 127.0.0.1).

    My Solution:
    Manually set the value of the proxyport setting in /usr/local/etc/dansguardian/dansguardian.conf
    (In the pfSense-webgui for example by browsing to the config-file via >Diagnostics>Edit File).

    Regards
    Roman