2.0.3 Squidguard not working
-
I'm not going to deny that I am a newbie but have been around PFsense for a little while. I just never had problems like this before.
I have two brand new ALIX alix2d13 boards that we are trying to set up for our guest wireless networks. The only items we need are Captive Portal, Squid, and Squidguard.
Captive Portal and Squid work perfectly. For the life of me, I cannot get Squidguard to block anything. I use Squidguard for other things so I certainly know how to work with ACLs, Target Categories, and Blacklists.
We use the Shallalist blacklist for other Squidguard servers and there are 57 categories when I use them on other servers, the PFsense box only sees 37. If I remove all the Blacklists and create my own Target Category with only www.yahoo.com and set that one to deny on the Common ACL it still will not block it.
I am sure I am missing something simple so any help would be appreciated.
Thanks,
Todd
-
Are you using Squid 2 or 3? If you loaded Squid 3 and then Squidguard it will try to load Squid 2 as a dependency and hose everything!
The amount of RAM in the Alix is generally not enough to use blacklists with Squidguard. Assuming you are running a Nano image. Are you seeing memory related errors in the logs?
Steve
-
As stephenw10 said, if you are using squid3 then you must install squid3 again after you installed
squid2squidguard.Then on squidguard go to blacklist and upload the shallalist.tar.gz - it will build the databases.
After that you should be able to see all these lists on "Common ACL" if you expand "Target Lists".After you configured anything on squidguard you must always click "Save" and then "Apply" on "General Settings" pages.
-
Stephenw10\Nachtfalke -
I have tried both Squid2 and Squid3 with the same results. I also found a post in this forum related to installing squid3 again after squid2. Still no luck.
I have not seen any memory related errors in the logs yet.
One other issue I have that I forgot to mention is that sometimes when I hit "Apply" on the "General Settings" page, all the blacklists db are deleted and I get a big red error message saying that it could not find xxx blacklist.
I am wondering if I am not giving the system enough time to rebuild the databases.
Today's plan:
Re-image the CF
Install squid2
Install Squidguard
Create my own Target categoriesTest test test
If this seems to be working then I will try the shallalist blacklist again.
One question is if I install the blacklists and they don't work, how do I remove them. If I jsut delete the databases I get the error I mentioned above when I hit "Apply" on the "General Settings"
Thanks for your help.
Todd
-
Testing update.
I have re-imaged the CF, installed squid2, then installed Squidguard.
Squid is running in transparent mode
I have set Squidguard common ACL Default Access to Deny
Tested
Works great!
Changed Default Access to Allow all
Tested
Worked Great!
Added my own Target category News with www.cnn.com as the only Domain.
Tested
Works Great! Can go everywhere except www.cnn.com
I am now installing a blacklist.
I installed the blacklists from:
ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists_for_pfsense.tar.gz
Blacklist Update Log only found 30 items from the 47 in the package. This is issue #1.Set adult to Deny
Default Access is set to allow.
"Save" on changes in "Common ACL" then "Apply" on "General Settings"
Test test test.
Failed No blocking of any adult sites. :(
Restarted Squidguard service - Tested - Still no blocking
Restarted PFsense box - Tested - Still no Blocking
Checked Logs - no memory errors.
run ps aux | grep squid
5 Instances of squidGuard -c running
Any additional help would be great.
Todd
-
The problem is that /var partition is too small and blacklist cannot be fully loaded. On Alix /var is in RAM, you can increase it editing /etc /rc.embedded and put a larger value on varsize.
The problem is that probably Alix hasn't got so much RAM to do this.. -
The problem is that /var partition is too small and blacklist cannot be fully loaded. On Alix /var is in RAM, you can increase it editing /etc /rc.embedded and put a larger value on varsize.
The problem is that probably Alix hasn't got so much RAM to do this..I recently addressed the question of running Squid on a nanoBSD installation. There are some limitiations. I hope this thread my be helpful:
http://forum.pfsense.org/index.php/topic,59932.msg322453.html -
Call me stupid but the file system on the CF is read-only? How do I edit the rc.embedded file?
I tried vi as a su but I still get the same results. Read only system
Thanks again,
Todd
-
Call me stupid but the file system on the CF is read-only? How do I edit the rc.embedded file?
I tried vi as a su but I still get the same results. Read only system
Thanks again,
Todd
Don't know the syntax on the command shell but on the packages they use "conf_mount_ro();" and "conf_mount_rw();"
I am using the blacklists from www.shallalist.de
I am just using some of the categories and not all and I see no reason to "spam" my Target Lists on squidguard with unused categories. What I do is downloading the file from the website, open it with 7zip and removing the unneeded categories. After that I upload it to /tmp and then import it in squidguard.To delete the old databases go to squidguard –> blacklists and then click on the white cross on the red bottom. This take some time but it will restore the default database.
-
Call me stupid but the file system on the CF is read-only? How do I edit the rc.embedded file?
I tried vi as a su but I still get the same results. Read only system
Thanks again,
Todd
To re-mount e.g. the root filesystem rw you can use
mount -uw / -
Don't use the mount command directly that has caused problems in the past. Use the built in scripts, see: http://doc.pfsense.org/index.php/Remount_embedded_filesystem_as_read-write
Alternatively use the editor in the webgui which takes care of that for you. Diagnostics: Edit File:
Steve
-
Don't use the mount command directly that has caused problems in the past. Use the built in scripts, see: http://doc.pfsense.org/index.php/Remount_embedded_filesystem_as_read-write
Alternatively use the editor in the webgui which takes care of that for you. Diagnostics: Edit File:
Steve
Thanks, Steve, for your correcting me. I've used the mount command in the past without any issuses. I was not aware of possible problems but like to learn :)
Peter
-
I recently addressed the question of running Squid on a nanoBSD installation. There are some limitiations. I hope this thread my be helpful:
http://forum.pfsense.org/index.php/topic,59932.msg322453.htmlYes, I know that it works, I've already tested and used it. Increasing var and tmp size the only limitation is that you cannot do caching and you have to reload blacklist every time the box restarts, otherwise I have it in production without any problem..
-
I've used the mount command in the past without any issuses.
It's very unlikely to cause any problems.
Sometime during the development of 2.0 the mount script became broken in some conditions. This left the filesystem as RW which was not in itself a problem, Nano doesn't try to write anything anyway. However anyone using the mount command to set it RO immediately ran into trouble because the system could not longer re-mount the filesystem as RW via the script resulting in not being able to save any changes. This has of course been fixed for the release version but it's good practice to use the same method the system does to avoid any mistakes, IMHO. ;)Steve
-
I think with everyone's help I have this figured out, but I need a little more assistance.
I have increased the size of the /var and /tmp inside the rc.embedded file and that has helped greatly with the importing of the blacklists however there is just not enough memory on the alix board.
So here is my proposed fix:
Add an external usb drive which will server as my /var and /tmp. In order to do this I need to change the rc.embedded file again. This file currently mounts sections of memory for /var and /tmp. The follow two lines do this:mdfs -S -M -s $(tmpsize) md /tmp
and
mdfs -S -M -s $(varsize) md /var
Because I am not very familiar with FreeBSD I need help to change those lines so that it creates the directories on /dev/da0.
If this solves my problems, I will make another post with the steps needed for anyone else to follow.
Thanks in advance,
Todd
-
You can do it (but I cannot help you because I don't know so much about BSD),
the problem is that in tmp were written lots of data, so probably USB drive will be damaged after few time.. -
It's not as easy as just changing those lines. Creating a ramdisk does not require anything else. Using an external drive requires it to be formated correctly and mounted before you can use it. There have been a few posts about this recently, relating to using an external drive for a squid cache for Alix.
http://doc.pfsense.org/index.php/Local_Disk_Storage_on_Embedded_%28soekris%29
Steve
-
It's not as easy as just changing those lines. Creating a ramdisk does not require anything else. Using an external drive requires it to be formated correctly and mounted before you can use it. There have been a few posts about this recently, relating to using an external drive for a squid cache for Alix.
http://doc.pfsense.org/index.php/Local_Disk_Storage_on_Embedded_%28soekris%29
Steve
I have read the article you mentioned but it does not get me far enough.
I have been able to mount the USB hard drive and it has already been formatted. I can mount the drive to /mnt but I just cannot figure out how to mount it to /tmp. The RC.embedded file sets up the /tmp folder to be loaded into a ramdisk but when I comment out that line and add /mount /dev/ufs/usbdisk /tmp it errors out.
-
I have solved my problem by following this article:
http://mikepowells.net/tag/pfsense/
Basically, I purchased a CF Micro Drive that allowed me to install the full version on pfsense. I don't know how long the Micro Drive will last so I am building a custom box to replace the ALIX boards. I am using an ITX board with dual NICs and an additions PCI slot for a DMZ if needed. The total cost is $348 which I don't think is to bad.
Thanks for all the input.
Todd
