Squid + DansGuardian
-
Hi,
I'm testing DansGuardian but I can't configure it properly.
Here's my configuration for Squid :proxy interface : Loopback
Allow users on interface : OK
Transparent proxy : OK
Log store directory : /var/squid/log
Proxy port : 3128DansGuardian :
Enable dansGuardian : OK
listen Interfaces : Lan
listen port : 8080
Proxy IP : 127.0.0.1
Proxy port : 3128In the Blacklist tab : Blacklist URL : http://squidguard.mesd.k12.or.us/blacklists.tgz
How can I enable the blacklist ?Thank you,
Airy
-
Transparent proxy : OFF
Log store directory : /var/squid/logsThe applied blacklists are show in a select box at access lists(sites and urls).
Don't forget to:
-
allow acces from clients to lan_ip port 8080
-
configure proxy options on client browsers to use pfsense lan and port 8080
-
-
Transparent proxy : OFF
Log store directory : /var/squid/logsThe applied blacklists are show in a select box at access lists(sites and urls).
Ok thank you.
I tried to block facebook :-
I enable URLs and Sites in Access list
-
At the end of both files I add facebook.com
But I can still browse on the webpage. Should I add his IP ?
If I download a Blacklist, I should write .Include<%his_path%> ?- allow acces from clients to lan_ip port 8080
How do you do that ?
- configure proxy options on client browsers to use pfsense lan and port 8080
I've done NAT rules :
| IF | Proto | Src. addr | Src. ports | Dest. addr | Dest. ports | NAT IP | NAT Ports |
| WAN | TCP | * | * | * | 80(HTTP) | 127.0.0.1 | 8080 |
| WAN | TCP | * | * | * | 443(HTTPS) | 127.0.0.1 | 8080 |Airy
-
-
I tried to block facebook :
-
I enable URLs and Sites in Access list
-
At the end of both files I add facebook.com
did you created and applied the configuration to default group?
check dansguardian log file to see if your traffic is going to dansguardian.
If I download a Blacklist, I should write .Include<%his_path%> ?
You can do this way or just add the url on blacklist tab.
when a blacklist is applied, you can see new categories on access lists -> sites -> banned select box.How do you do that ?
firewall -> rules -> lan
- configure proxy options on client browsers to use pfsense lan and port 8080
I've done NAT rules :
Not sure if you can transparent proxy ssl. check dansguardian access log file.
-
-
What's the recommended setup to run these three together? Or does Dansguardian take care of it?
I mean I see the Content Scanner section, but it's not clear to me if that's just a tie-in to HAVP, or if Dansguardian runs it itself, making HAVP redundant. -
Dansguardian has antivirus engine, so no need to install havp
-
Hi,
thanks for your answers !
did you created and applied the configuration to default group?
I go in Services: DansGuardian : Groups -> there is already a default group but i didn't modified it.
check dansguardian log file to see if your traffic is going to dansguardian.
in /var/log/dansguardian/access.log the file was full of trafic like blocked sites and allowed.
I don't know how, but when I configure proxy as 10.58.121.1(ip of pfsense):8080 on my internet option, the content is filtering and I can't go on default blacklisted website ? I'd like to add I can't answer you when I enabled the proxy on my browser because dansGuardien filted the site as porn website …
I disable dansGuardian to answer but then no way to reconnect to the server. I load the original snapshot (with any package on it) and re-configure them. Since this, the access.log file is empty.firewall -> rules -> lan
My NAT rules was zero, it put them on WAN interface ….
I modified them to LAN and they appear in firewall: rules: lan| Interface | Protocol | Source | Source port range | Destination | Destination port range | redirect target IP | Redirect target port |
| LAN | TCP | LAN address | any | any | HTTP | 10.58.121.1 | 8080 |
| LAN | TCP | LAN address | any | any | HTTPS | 10.58.121.1 | 8080 |Not sure if you can transparent proxy ssl. check dansguardian access log file.
The Goal of my project is that wifi connexion must be transparent, the client just have to connect themselves with the captive portal.
Airy
–----------------------------------
EDIT :
If I configure my browser as I said, it seems to work.
However, not the way I want, I can't answer you if I enable proxy in my brower 10.58.121.1:8080Access to the page:
http://forum.pfsense.org/index.php?action=post;topic=50583.0;num_replies=2
… has been denied for the following reason:
Weighted phrase limit exceeded.
Categories:
Pornography
You are seeing this error because what you attempted to access appears to contain, or is labeled as containing, material that has been deemed inappropriate.
If you have any queries contact your ICT Coordinator or Network Manager.
Powered by DansGuardian
It's the same with Services: Proxy Server is blocked to for swedish porn if I remember.
So can we make it transparent with NAT rules and how configure properly the access list ? I addes facebook as I said at the beginning of the post but I can still browse it.
-
I'd like to add I can't answer you when I enabled the proxy on my browser because dansGuardien filted the site as porn website …
white list this site or increase Naughtiness limit field on group tab.
So can we make it transparent with NAT rules and how configure properly the access list ? I addes facebook as I said at the beginning of the post but I can still browse it.
did you enabled the banned list on access lists -> sites -> banned ?
-
Hi,
did you enabled the banned list on access lists -> sites -> banned ?
No I didn't, I'll do it tomorrow and I keep you informed.
Airy
-
Dansguardian installs, but it keeps complaining about a missing AV database, and that it's going to run freshclam due to that. Of course, that doesn't seem to succeed, otherwise, I wouldn't get that message over and over, and instead would get it once, then the database would get downloaded, and that would be that.
Not sure if this is a 2.1 issue, or a general problem with the Dansguardian package.
Also, even though enabled, it never shows as active in the Dashboard's Services Status section, but obviously it must be doing something, otherwise it wouldn't complain about the lack of the AV database…
So something is certainly still funky with that package.
Unrelated question: I have such low traffic here, that the value of using squid is questionable. Can dansguardian also used by itself, or does it require to be paired with squid to work properly?
-
Dansguardian installs, but it keeps complaining about a missing AV database, and that it's going to run freshclam due to that. Of course, that doesn't seem to succeed, otherwise, I wouldn't get that message over and over, and instead would get it once, then the database would get downloaded, and that would be that.
Not sure if this is a 2.1 issue, or a general problem with the Dansguardian package.
Also, even though enabled, it never shows as active in the Dashboard's Services Status section, but obviously it must be doing something, otherwise it wouldn't complain about the lack of the AV database…
So something is certainly still funky with that package.
Unrelated question: I have such low traffic here, that the value of using squid is questionable. Can dansguardian also used by itself, or does it require to be paired with squid to work properly?
Do you have snort installed?
Here is what I have found. Snort installs pcre-8.30_2
Dansguardian uses pcre-8.20_1 and will not work or at least I can not get it to work with pcre-8.30_2However if you install snort after you install danguardian it will work as long as you do not reboot your box.
If you have rebooted your box dansguardian will appear to work sometimes but if you go into it and click save on any of the buttons then go into the sys log you will see the errors.
If you do a pkg_delete -f pcre-8.30_2
Then go into dansguardian click save check the system logs no errors reboot no errors howerver snort will not start.
If you do a pkg_add -f -r http://files.pfsense.org/packages/8/All/pcre-8.30_2.tbz *for i386 only or
http://files.pfsense.org/packages/amd64/8/All/pcre-8.30_2.tbz amd64 onlyThen snort will start but do not reboot your box if you do you will have to do this all over again.
-
Ah, yes, snort is installed. Of course, the box also needs to be rebooted semi-regularly, particularly now during the 2.1 beta..
That's of course a bummer that snort and dansguardian are as it stands incompatible.
Was looking forward for a postfix-mailscanner, squid3-dansguardian and snort setup.
Looks like snort has issues, dansguardian has issues, and the mail server may have more CPU and memory available to be burdened with the spam/virus filtering business in e-mail…
Hope the dansguardian - snort incompatibility can be sorted out; I thought one of the reasons for the pbi packaging was to prevent these sort of things?
-
Hope the dansguardian - snort incompatibility can be sorted out; I thought one of the reasons for the pbi packaging was to prevent these sort of things?
I dont have this issue. Now Snort was install after dansguardian many times yesterday..
[2.1-BETA0][]/root(21): ps -aux | grep dans nobody 11094 0.0 0.2 9612 6476 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 11263 0.0 0.2 9612 6476 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 11305 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 11636 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 11657 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 11909 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 12216 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 12382 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 12474 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 12726 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 45077 0.0 0.4 17804 12996 ?? Is 9:24PM 0:00.85 /usr/pbi/dansguardian-i386/sbin/dansguardian root 54354 0.0 0.0 3536 1264 0 S+ 9:32PM 0:00.01 grep dans [2.1-BETA0][]/root(22): ps -aux | grep snort root 49923 2.4 5.5 424384 170376 ?? Ss 4:34PM 7:41.82 /usr/pbi/snort-i386/bin/snort -R 39737 -D -q -l /var/log/snort/39737_ root 2424 0.0 0.0 3536 1264 0 S+ 9:33PM 0:00.00 grep snort -
Hope the dansguardian - snort incompatibility can be sorted out; I thought one of the reasons for the pbi packaging was to prevent these sort of things?
I dont have this issue. Now Snort was install after dansguardian many times yesterday..
[2.1-BETA0][]/root(21): ps -aux | grep dans nobody 11094 0.0 0.2 9612 6476 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 11263 0.0 0.2 9612 6476 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 11305 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 11636 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 11657 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 11909 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 12216 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 12382 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 12474 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 12726 0.0 0.4 17804 12996 ?? I 9:28PM 0:00.00 /usr/pbi/dansguardian-i386/sbin/dansguardian nobody 45077 0.0 0.4 17804 12996 ?? Is 9:24PM 0:00.85 /usr/pbi/dansguardian-i386/sbin/dansguardian root 54354 0.0 0.0 3536 1264 0 S+ 9:32PM 0:00.01 grep dans [2.1-BETA0][]/root(22): ps -aux | grep snort root 49923 2.4 5.5 424384 170376 ?? Ss 4:34PM 7:41.82 /usr/pbi/snort-i386/bin/snort -R 39737 -D -q -l /var/log/snort/39737_ root 2424 0.0 0.0 3536 1264 0 S+ 9:33PM 0:00.00 grep snortThe problem definetly exists on 2.0.1-RELEASE (amd64) I have multiple boxes each one has the same problem.
Have you rebooted since you installed snort?
If you have what happens when go into the gui and click save on any of the tabs?Mayber the new beta does not have this problem?
Here are two posts on the subjecthttps://bugs.archlinux.org/task/28459
https://bbs.archlinux.org/viewtopic.php?pid=1114701 -
Hi,
white list this site or increase Naughtiness limit field on group tab.
Ok, I fixed Naughtiness on 160 (young adult as it's called).
did you enabled the banned list on access lists -> sites -> banned ?
Yes, I think I have done well.
Check this screenshot, I enabled both sites and URL and added "facebook.com", in the file, it is said to don't bother with "www" and "http://".
I tried myself to do routing to make dansGuardian transparent and to don't have to configure client browser but I didn't succes.
I saw System -> routing but I don't tink it will do what I want ? (make all packets go on 8080port)
If I add a server before pfSense,is there a way to do this ?Airy
-
The problem definetly exists on 2.0.1-RELEASE (amd64) I have multiple boxes each one has the same problem.
Have you rebooted since you installed snort?
If you have what happens when go into the gui and click save on any of the tabs?I had it running fine on 2.0.1 i386 a couple of weeks ago.. but with all the package changes recently, i dont know without starting up a vm to test
I've reboot a few times since
-
Hi,
I think my NAT rules work because the content of my web page is filtered.
However I can still go on facebook site and I want to bannish. My configuration didn't change in the Accsess list, does anyone know why I can still browse on this website ?Airy
-
Hi,
I think my NAT rules work because the content of my web page is filtered.
However I can still go on facebook site and I want to bannish. My configuration didn't change in the Accsess list, does anyone know why I can still browse on this website ?Airy
Your screenshot shows virusscanner description, are you sure you have configured it on right place?
ps: to attach screenshots on post, use additional Options.
-
Hi,
Thank you, it works fine.
Your screenshot shows virusscanner description, are you sure you have configured it on right place?
I configured the virusscanner and not url and sites, I must be blind …
Airy
