Filter porn, virus's and ads with squid3, HAVP, Dansguardian and privoxy.
-
Berrance, is this the correct Parent proxy for HAVP? Parent proxy to 127.0.0.1:8118? Shouldn't be 3125, 3128, or 8080?
-
I believe so. The setup is,
Client > Nat to dansguardian (127.0.0.1:8080) > squid (127.0.0.1:3128) > Havp (127.0.0.1:3125) > Privoxy (127.0.0.1:8118) > internet
With no parent proxy in Havp you will get the internet but not running through privoxy so no ad blocking.
Please drop another line if your having problems.
Berrance
-
I was able to get Dansguardian, Squid, and HAVP working before system resources were getting tight so I did not install Privoxy. Although my configuration was a little different. I will post it later.
EDIT:
I did almost everything up above except Privoxy (for now?) and the following:
1. I place Squid on Transparent instead of turning it off.
2. I clicked LAN\Opt1 interfaces on Squid and HAVP. Squid proxy point at HAVP (I tried loopback but did not work)
3. I did set HAVP as parent for squid. (I tried standard and transparent but did not work)
4. I clicked LAN\Opt1\Loopback for Dansguardian - Proxy server point at Squid (tried loopback but did not work)
5. I NAT'd Opt1 traffic to Opt1 interface IP address and LAN Subnet to the LAN interface IP address instead of the Loopback. (tried 127.0.0.1 but did not work).
6. Added ignore_expect_100 on to Squid Proxy customizations.
7. Tested connectivity and "questionable material" was blocked and eicar test was blocked as well.On a side note, do you know how many resources does Privoxy take up? I am hovering around 80% with all of the services I have running.
The firewall hardware consists of dual P-III 850 and 1 gig of RAM (everything is maxed).
-
Glad to hear you've got going. Just a few notes on your points from my experience (may help other people). I could only get it working by doing it in the order from my howto did a reinstall to check but thats not to say I have missed something out.
1. For me placing squid on transparent made the web traffic bypass Dansguardian as Dansguardian was running before squid in the filter chain. Squid transparent mode redirected all http traffic to Squid which is why I added a nat rule for all traffic on lan1 port 80 and redirect it to 127.0.0.1:8080 provided dansguardian is listening on loopback making it transparent
2. When squid is in transparent mode You may need squid listening on Lan. If you had Havp set as parent for squid and listening on loopback what IP is shown in the Integrations section on the squid config page? You may need to change it from your lan address to 127.0.0.1
3. For me it sorta worked with parent for Squid. But for me and a big But, after installing Dansguardian and restarting squid or rebooting the machine I had to re add the line
acl all src 0.0.0.0/0.0.0.0
to squid.conf before the lines
never_direct allow allsrc
cache_peer 127.0.0.1 parent 3125 0 name=havp no-query no-digest no-netdb-exchange defaultthat Havp added when set to Parent for Squid and restart squid. Which again didnt survive a restart. To fix this I set Havp to S5. I NAT'd Opt1 traffic to Opt1 interface IP address and LAN Subnet to the LAN interface IP address tandard and manually add the above lines in order to the Custom Options section on the proxy conf page making sure the integrations section is empty. To get the integrations section to stay empty after Havp had been set to Parent for squid I had to uninstall and reinstall Havp (Possibly Squid aswell I cant remember). For testing purposes I just set my browsers proxy to squid also for testing I did enable Squid to listen on Lan aswell.
4. see 1.
5. What address/port where you listening on/redirecting to? provided Dansguardian is listening on loopback port 8080 you should be fine redirecting traffic from Lan/Opt1 port 80 to 127.0.0.1 port 8080
7. All should well work well with all services running whilst listening on Lan but should a user know the ip and port numbers of the services running they could bypass vital parts of the chain by changing their browsers proxy settings.
I used to run a similar set up but without Havp on a dual P-III 600Mhz with 750 MBs ram set up with IPCop a few years ago and that used to max out pretty easy. The setup I used in the howto is an old P4 1.7Ghz with 1GB ram. Still running now with that how to.
-
berrance,
Great contribution. :)Just some notes:
-
Dansguardian already has antivirus integration, you do not need HAVP. ;)
-
Are you sure dansguardian blacklists can't deny ads?
-
passing traffic through a lot of daemons, may slow down internet access.
-
HTTPS access will not be filtered on this setup
-
-
Marcello,
What is your recommended configuration?
Thanks!
-
What is your recommended configuratio?
User -> dansguardian -> squid -> internet
(With clamav) -
Any good documentation on just using Squid and Dansguardian or point me to the best thread because everything I have tried fails.
-
Any good documentation on just using Squid and Dansguardian or point me to the best thread because everything I have tried fails.
Did you tried this?
Installing the Dansguardian package in PFSense - One user's experience
-
Did you tried this?
Installing the Dansguardian package in PFSense - One user's experience
Thank you, I figured out what was wrong … :-)
Now to figure out anti-virus.
-
Now to figure out anti-virus.
just select clamdscan on system -> dansguardian -> general and save config
-
Now to figure out anti-virus.
just select clamdscan on system -> dansguardian -> general and save config
I did just that but then Danguardian pops up with a message stating it is blocking the site because it can not scan it, Categories: Content scan. What else needs to be done; do I also need to disable a categories filter?
Thanks!
-
Force a frashclam update on console and then restart dansguardian(or save config)
-
Force a frashclam update on console and then restart dansguardian(or save config)
Did that, same response - website blocked, unable to scan content…
In addition, if I turn on clamdscan, and then turn it off because it is not working properly yet, I have to reboot the box for internet connectivity to be restored.
Should I try to enable it and reboot?
-
Are you on latest dansguardian package version?
-
-
I see other people have had this problem, but nothing sticks out yet.
-
Marcello,
I tried doing this and the download was successful, however, the deny page for Cisco is still displayed when clamdscan is activated.
http://forum.pfsense.org/index.php/topic,52163.0.html
-
Problem resolved…
I made a change thinking that was the problem for something else but it wasn't and caused a problem with clamdscan working properly. Now everything is working.
-
Hi all,
I followed this, and got it to work, but found that things eventually slowed to a crawl. I think my box may be under powered, but for me, blocking Ads network wide would be enough.
Can privoxy work standalone? I get an error in my browser when I try to NAT directly to 8118 :
invalid header received from client
Privoxy is listening on localhost:8118
I would appreciate any tips.
Phob
