E2guardian package for pfsense - $??



  • I confirm the GUI Restart does not work. I made a change and it didn't pickup the changes when Restarting using the GUI. I had to go to shell and manually stop then restart to apply.



  • Is anyone working on getting official package? Or is that what you are all doing?



  • After installing e2guardian from freebsd ports using the manual procedure it seems to be working OK (Not perfect), but it did not work with SSL.

    I run "./e2guardian -v".  I did not see ssl support enabled.  This is sad.  :'(

    The e2guardian 3.4 (current stable version)  supports ssl, it should be compiled with ssl support enabled.  I bet the majority of the people is expecting the e2g package with ssl support enabled.



  • @jetberrocal:

    After installing e2guardian from freebsd ports using the manual procedure it seems to be working OK (Not perfect), but it did not work with SSL.

    I run "./e2guardian -v".  I did not see ssl support enabled.  This is sad.  :'(

    The e2guardian 3.4 (current stable version)  supports ssl, it should be compiled with ssl support enabled.  I bet the majority of the people is expecting the e2g package with ssl support enabled.

    Do you mind if you share how you got the e2guardian packaged from the freebsd ports? I've added the pkg manually like this:

    pkg add http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/e2guardian-3.4.0.3.txz
    Fetching e2guardian-3.4.0.3.txz

    But I'm not sure what to do after that… How do you even start it? If I type in "e2guardian" It says command not found.



  • @dotdash:

    @jetberrocal:

    I tried to install e2g manually, but the pfsense repository does not have the application.  Look for the application in pkg.freebsd.org but did not found the e2g version you are referring.  Where do I get it?

    pkg add http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/e2guardian-3.4.0.3.txz
    This just installs the FreeBSD port, not the pfSense bits…

    This is it.



  • Sorry. You have to perform the full manual install procedure. In this thread you can find a link some pages before.



  • @Mobile_Bob:

    You can install it manually, but I wouldn't suggest it.  The way it stands now it's not all that stable.  I would suggest (And it's what I did), installing E2Guardian on something like ubuntu then use nat to point all traffic at the second box running E2Guardian.  Then E2Guardian can point all traffic back to the PFSense box and squid will proxy and send it on.  Thats the most stabe way of setting up for now.  It's not the best because configs are a pain, but it's more stable.

    I'm thinking this is pretty much the only option if you want to inspect content with pfsense. Is there any cons to this kind of set up? Is there any overhead in routing if you are routing traffic first to the pfsense box, then to the e2guardian box, then back to the pfsense box? I would like to keep my network as fast as possible. How would traffic monitoring look? Would the pfsense box see all bandwidth being used by the e2guardian box or would it preserve the original IP of the host?

    Thanks!



  • @jetberrocal:

    Sorry. You have to perform the full manual install procedure. In this thread you can find a link some pages before.

    I you have not found the link for manual install procedure:

    http://knes1.github.io/blog/2015/2015-07-18-manually-installing-e2guardian-to-pfsense.html



  • @abel408:

    I'm thinking this is pretty much the only option if you want to inspect content with pfsense. Is there any cons to this kind of set up? Is there any overhead in routing if you are routing traffic first to the pfsense box, then to the e2guardian box, then back to the pfsense box? I would like to keep my network as fast as possible. How would traffic monitoring look? Would the pfsense box see all bandwidth being used by the e2guardian box or would it preserve the original IP of the host?

    Thanks!

    Sorry, have been really busy…  I'm sure there are some performance hits but if you want to do a transparent proxy it's your only real option in this type of a setup.  If you can setup proxy settings on each client (group policies etc), or a WPAD https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol, that would push traffic at your e2guardian box first and take a little load off the firewall.  I don't think it's enough to matter unless you have LOTS of traffic though...  All the proxied content still carries its origin IP addresses so traffic monitoring and the firewall will still show endpoint IP addresses, but if you're interested in your Squid logs they will show all traffic coming from e2guardian.



  • I discovered that e2guardian can be automatically started by adding 2 more steps to the manual install procedure ( http://knes1.github.io/blog/2015/2015-07-18-manually-installing-e2guardian-to-pfsense.html ).

    1. Rename /usr/local/etc/rc.d/e2guardian to e2guardian.sh
    2. Change the following text from NO to YES inside the file ": ${e2guardian_enable:=YES}"

    Now the service can also be started and stopped from the services display.

    For Step 8 of the manual install procedure, I suggest running the ssh commands as a bash shell script, but first bash must be installed:

    pkg install bash
    cp /usr/local/bin/bash /bin/

    make sure that you are in the following directory
    cd /root/pfsense-packages-be599ee41b2567459b1eaf55fff4ecb2ad3fa4ff/config/e2guardian/

    Create new file myscript.sh (I use winscp from Windows) with #!/bin/bash at the beginning and copy and paste all the commands from Step 8, save it, make it executable and execute it
    chmod +x myscript.sh
    bash myscript.sh

    For Step 9 there is a typo (purely cosmetic) for the menu xml. Change the 2 places of E2guradian to E2Guardian in the following lines for the menu to display correctly.

    <menu>
    <name>E2guradian</name>
    <tooltiptext>E2guradian</tooltiptext>
    Services
    <configfile>e2guardian.xml</configfile>
    </menu>



  • This thread from e2guardian forum shows hot to activate SSL support for FREEBSD using the ports.

    The same procedure can be used to turn other options that are turn off in the current package.

    What I am missing is how to get the e2guardian to be package with the SSL support or other turned on option to be able to install it in pfsense.



  • In the following thread you can find how to compile and package the e2guardian software for pfsense with the last FreeBSD ports version.

    You can activate MITM SSL support and other options.

    https://forum.pfsense.org/index.php?topic=115276.msg658813#msg658813

    Some e2guardian configurations have to be made directly on conf files.  This present a problem.

    Every time you make configuration changes through the GUI and save, the custom/manual settings are removed.

    I guess will need to modify some of the scripts in order to keep the manual settings.  This will present a challenge.



  • Maybe someone can modify the GUI scripts to include a custom text box field in the Groups section and the General section.

    Such that in the custom box anyone could add the settings not implemented in the GUI.

    For example the "nocheckcertsitelist" setting is not available for the Groups configuration.

    I guess for the e2guardian version the GUI was intended did not had that setting available at the moment of programming it.

    With the custom boxes the GUI can be extended to new versions by appending the box's text to the GUI generated configurations.



  • @marcelloc:

    I've started fixing packages to 2.3. If postfix gets merged and works fine, e2guardian(on current port version) is on the list.

    Marcelloc.  I have not seen you comment in this thread since December/2015.

    Could you evaluate making the changes I am suggesting?

    https://forum.pfsense.org/index.php?topic=87526.msg661002#msg661002



  • I see that postfix was denied… My guess is he is out...  I HOPE not, but...  Someone else may have to take over the package.  I'm a little disappointed since many people including myself donated money toward this package.  I could understand if e2guardian was also denied, but as far as I know it's still just incomplete.

    It's also possible that PFSense would deny this package as well.  It's not as cumbersome as postfix is, but I don't know what direction they are moving since previously the postfix package was approved...  :'(



  • This really would've been a big step forward for PfSense firewall, as web filtering goes. The standard SquidGuard is a nightmare. Really would've loved that HTTPS scanning :(



  • for now just force google and bing into safe search



  • Here is some summary to install the current e2guardian in psense:

    1. Create a virtual machine with FreeBSD 10.3 or the same version of your pfsense's FreeBSD.
    Make sure it has Internet access and connectivity to your pfsense machine

    2. Fetch e2guardian from FreeBSD ports

    pkg add http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/e2guardian-3.4.0.3.txz

    Fetching e2guardian-3.4.0.3.txz

    3. Please have a look at https://www.freshports.org/www/e2guardian/ - by default SSL=off: by default- you need to switch it on.

    portsnap fetch extract update && cd /usr/ports/www/e2guardian

    make config

    At this stage you need to check SSL to build e2g with SSL support or check other build options you need.

    make install clean

    4. Create package for personal use.

    make package

    But it says to run "portlint -CN" and that gives an error.
    That portlint is only relevant if your developing a package yourself.
    In this case your compiling an existing package and probably safe to ignore the portlint 'error' about to much files and cleanup to be done..

    5. Copy the created package to your pfsense machine. 
    If your FreeBSD virtual machine does not have a web server then use ftp or scp to transfer the file
    If your FreeBSD virtual machine has a web server that can serve the package you can repeat step #2 using the corresponding path.

    6. Install package
    If you copied the package using the web server method the package is already installed.
    If you copied the package by other means then install package
    #pkg add pkgcopiedpath

    There is a procedure to install a GUI for e2guardian but I do not recommend it because it was made for a really older version of e2g.

    There is another problem that has to be addressed.  The mitm error page is made for apache as main web server.
    pfsense uses gnix as main web server, so you have to configure e2g to use another web server or find a way to use gnix.
    I use other web server so I can not help you with the gnix option.

    It wont be easy to use the gnix.  I think you will have to change the pfsense https web site to use other ssl port
    as e2g will need the default ssl port to serve the error page.  Before there where vhosts package available but now you have to do it withou the vhosts package.



  • Take a look on this thread for 2.3.x install instructions

    https://forum.pfsense.org/index.php?topic=128116.0



  • I looked into the script and see that it will install e2guardian from freebsd ports as is, with defaults.

    If anyone wants to use mitm with e2g the defaults wont work.

    I do not know if pfsense will let you run "make config" and then "make install" to activate the ssl support option.

    I think it wont because "make" requires to have compilation packages in the system.



  • @jetberrocal:

    I looked into the script and see that it will install e2guardian from freebsd ports as is, with defaults.

    If anyone wants to use mitm with e2g the defaults wont work.

    I do not know if pfsense will let you run "make config" and then "make install" to activate the ssl support option.

    I think it wont because "make" requires to have compilation packages in the system.

    If it's compiling fine on freebsd, I'll do soon a ssl compile to update the GUI to accept it and also test the upcoming v4



  • In freebsd I run "make config" and then "make install" to activate the ssl support option.  It worked successfully.



  • @jetberrocal:

    In freebsd I run "make config" and then "make install" to activate the ssl support option.  It worked successfully.

    I've just create a 3.5.1 pkg on freebsd and installed on pfSense

    
    e2guardian 3.5.1
    
    Built with:  '--localstatedir=/var' '--with-logdir=/var/log' '--with-piddir=/var/run' '--enable-fancydm' '--disable-clamd' '--disable-commandline' '--disable-dnsauth' '--disable-email' '--disable-icap' '--disable-kavd' '--enable-ntlm' '--enable-trickledm' '--with-filedescriptors=4096' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.2' 'build_alias=amd64-portbld-freebsd10.2' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -D__SSLMITM -D__SSLCERT -DLIBICONV_PLUG -fstack-protector -fno-strict-aliasing  -DLIBICONV_PLUG' 'LDFLAGS= -lssl -lcrypto -fstack-protector' 'LIBS=' 'CPPFLAGS=-I/usr/local/include -DLIBICONV_PLUG' 'CC=cc' 'CFLAGS=-O2 -pipe  -I/usr/local/include -D__SSLMITM -D__SSLCERT -DLIBICONV_PLUG -fstack-protector -fno-strict-aliasing' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
    
    

    and v4 beta too…

    I'll see what will need to change on config files...



  • Thank you marcelloc.  I think that most of the guys waiting for e2g are expecting it with ssl support.

    When do you expect for the package to be accepted in the freebsd ports?



  • @jetberrocal:

    Thank you marcelloc.  I think that most of the guys waiting for e2g are expecting it with ssl support.

    When do you expect for the package to be accepted in the freebsd ports?

    I did a first lookup on confi file changes. It will need some work to include all new features. But I could get ssl support working.  ;D
    I'll update the install process soon

    On the todo list I'll include on help tab a way to see what package gui you are using and if there is an update.

    If anybody wants to help the migration process, just look the TODO texts on e2gardian.conf.template and e2guardianfx.conf.template files on mu github repo.



  • Package install now includes 3.5.1 version with ssl support.



  • @marcelloc:

    @jetberrocal:

    In freebsd I run "make config" and then "make install" to activate the ssl support option.  It worked successfully.

    I've just create a 3.5.1 pkg on freebsd and installed on pfSense

    
    e2guardian 3.5.1
    
    Built with:  '--localstatedir=/var' '--with-logdir=/var/log' '--with-piddir=/var/run' '--enable-fancydm' '--disable-clamd' '--disable-commandline' '--disable-dnsauth' '--disable-email' '--disable-icap' '--disable-kavd' '--enable-ntlm' '--enable-trickledm' '--with-filedescriptors=4096' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.2' 'build_alias=amd64-portbld-freebsd10.2' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -D__SSLMITM -D__SSLCERT -DLIBICONV_PLUG -fstack-protector -fno-strict-aliasing  -DLIBICONV_PLUG' 'LDFLAGS= -lssl -lcrypto -fstack-protector' 'LIBS=' 'CPPFLAGS=-I/usr/local/include -DLIBICONV_PLUG' 'CC=cc' 'CFLAGS=-O2 -pipe  -I/usr/local/include -D__SSLMITM -D__SSLCERT -DLIBICONV_PLUG -fstack-protector -fno-strict-aliasing' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
    
    

    and v4 beta too…

    I'll see what will need to change on config files...

    Marcelloc.

    Just received noticed there is a critical error with Google Chrome that was fixed on e2g 4.1

    Please provide some partial package using this version as soon as posible, as previous versions are unusable due to the Chrome error. 
    It says to be backward compatible.





  • @marcelloc:

    It's already updated. Just rerun the installation script.

    https://github.com/marcelloc/Unofficial-pfSense-packages/commit/36678fe4cb3868065f5f84d90796c76fe515045c

    Thank you for your excellent work.



  • Hello guys,
    first of all, thanks for all the work done due to implement this features!! Expecially Marcello!

    @pfSense2User:

    I am trying to enable the clamav in the e2guardian program, but alas, I get an error that is shown on my monitor:

    
    Aug 17 20:56:44 e2guardian[86361]: Unable to load plugin config /usr/local/etc/e2guardian/contentscanners/clamdscan.conf
    
    

    I'm guessing this is still in a working progress?  However, I'm glad that the squid3 comes with the clamav, but I like the e2guardian (formally Dansguardian) access denied error when it finds a virus on a site, like eicar's test antivirus.

    I'll post back if I found a solution (temporarily speaking).

    I have the same issue, I've tried to comment it on the conf file, but it's been recreated on every modify.
    How can I fix this?

    Thanks for any help!



  • @bedmakaveli:

    I've tried to comment it on the conf file, but it's been recreated on every modify.
    How can I fix this?

    Select none on antivirus integration instead of auto.



  • Is this going to become an official pfSense package at any point in the foreseeable future?



  • I'll send a pull request for the official repo probably when v5 gets stable



  • Hello guys,
    here I am again :) .
    After setting all up, and get E2guardian working correctly, I would love to redirect to the courtesy page also for https pages.
    I've read a lot of posts without finding something clear.
    I'm using explicit proxy setting, so i don't need the MITSSL, or at least I think so.
    There is a way to redirect the https pages to the courtesy page visualized on blocked http traffic or should i lose my hopes?

    Thanks marcelloc for all the work, I'll repay the efforts with a lot of coffes :)



  • I know e2guardian uses squidguard. Should squidguard on the Status/Services page be showing as running? Or does e2guardian manage its own private copy?

    I ask because e2guardian is installed, but doesn't seem to be working. The service is enabled, and nothing is being filtered.

    I noticed squidguard service is showing a red sign. Pressing play results in no change.

    squidguard used to be installed a long time ago. Hasn't been for a while.

    P.S. I'm using pfSense x86, version 2.3.3.



  • E2guardian doesn't need squidguard to work.

    You can remove squid and squidguard as well and install only e2guardian. After that, configure clients to use proxy.

    If you need transparent proxy, then you will need a more elaborated setup with squid + e2guardian package.



  • Thank you marcelloc.

    My e2guardian package showed a squidguard dependency and installed a squidguard packaged… even though I don't see it in the Services or Firewall menus.

    Transparent proxy is what I want. I will Internet search how to set it up. Do you have any pointers or references on doing this with e2guardian & squid?


Log in to reply