next »

[ZGruk]

This guide assumes that you have pfSense 2.0 and that you have
installed squid from the packages list in the webConfigurator.

This guide was tested on a box with the following specifications:

CPU: 500Mhz AMD Geode
Memory: 1GB
pfSense version: 2.0
squid version: 2.7.9_4.2
Dansguardian version 2.12.0.0 alpha

Due to the lack of development tools (such as make, gcc, etc) it is impossible
to compile Dansguardian from source in pfSense. To get around this, you can
install it on a FreeBSD system, and then copy the pertinent files to pfSense.
I installed Dansguardian on a FreeBSD system in VirtualBox and then packaged
the files into a tar file, which is available at https://sites.google.com/site/computdoctrinae/home/files.
The version of Dansguardian from which this tar is derived is 2.12.0.0 alpha.
I will add a link to a tar from the latest stable version later.  
The tar contains the following folders:

1. sharedoc – this folder has a dansguardian folder in it, which should be copied.
2. Share – this folder also has a dansguardian folder in it.
3. Sbin – this folder has the dansguardian executable in it.
4. Etc – this folder has a dansguardian folder in it
5. varlog – this folder has a dansguardian folder in it.

   The dansguardian folders and executable should be copied into
their respective folders on the pfSense system with the root at /usr/local/.
Thus the sharedoc dansguardian folder goes in /usr/local/share/doc/,
the share dansguardian folder goes in /usr/local/share/, the varlog dansguardian
folder goes in /usr/local/var/log/, etc. After this simply running the “dansguardian”
command should be all that is necessary to start it running. If you get
an error that the /usr/local/var/log/dansguardian/access.log file
cannot be accessed or created, you will need to change the
permissions on that file to allow access from anyone.

Code:

chmod a+rw /usr/local/var/log/dansguardian/access.log

   Once dansguardian is running, it is necessary to configure pfSense to forward all traffic through port 8080, which is the default dansguardian port. Add a rule to the Firewall → NAT → Port Forward page in your webConfigurator with the following settings:

Interface: LAN
Protocol: TCP
Source: LAN subnet
Destination: any
Destination Port: HTTP to HTTP
Redirect IP: <the IP of your pfSense box>
Redirect Target Port: 8080

Leave all the other settings default. Make sure and apply the changes after
you save the rule. At this point filtering should work. To test you can add
a site to the bannedsitelist file in /usr/local/etc/dansguardian/lists, reboot dansguardian using

Code:

dansguardian -Q

and then try to view that site from your browser.
At this point all normal traffic goes through dansguardian. It is still possible, though, for someone to
force the browser to go through port 3128 (the squid port) and thus circumvent dansguardian.
To prevent this, add another entry to the Port Forwarding area to redirect all traffic on port 3128
to port 8080 (instead of HTTP to 8080).

NOTE 1: With these settings, secure connections (HTTPS) are not forwarded and hence are not filtered,
since doing so would undermine the security of the connection. If you wish to filter this traffic as well
add a third rule forwarding HTTPS to port 8080.

NOTE 2: I was under the impression that enabling the caching function of squid was necessary to make
dansguardian work. I have turned off caching and dansguardian still seems to work... But if someone else
knows better, I would like to know.
-----------------------------------------------------------------------------------------------------------------------
After installing dansguardian, I would highly recommend changing some of the default settings, particularly the "naughtiness level" in dansguardianf1.conf (which is in /usr/local/etc/dansguardian), since by default a number of perfectly legitimate sites are blocked as
having Japanese or Norwegian pornography. These include Facebook, Netflix, iTunes, some Google searches, and I'm sure others that I haven't run across.
------------------------------------------------------------------------------------------------------------------------
I have only tested this on the embedded version of pfSense. It should work on the full version.

I don't know whether this will work on an older version pfSense. I think probably not. Any feedback would be appreciated.

[Cino]

nice write up! Have you looked into maybe making this into a package?

[marcelloc]

I'll try this, if it works as expected, I can help on package...

worderfull News!!! finaly a web content analyser for pfsense.

excelent work ZGruk!! 

[ZGruk]

UPDATE:

So, after a month or so of using this I've found out some things:

Dansguardian definitely works without squid caching.
Which is good for me, since it was filling up my little 2GB CF card very quickly.

The log file (access.log) can also get rather large over time. About 100 Mb in a month.

I turned down the "naughtiness level" and I still get "Japanese pornography" every once in a while.
Generally reloading the page once is all that's necessary to get rid of it. Or you could turn it down farther.

------------------------

I looked into making this into a package, and it looked rather complicated and time consuming.
If someone wants to do it I'll be glad to help all I can, and if not, maybe one of these day's I'll do it myself.

[JackL]

Congratulations for you work with this guide.

We, the brazilian portuguese forum, we made sure to draw attention to him: http://forum.pfsense.org/index.php/topic,42641.msg226605.html#msg226605

The guide also worked with one thread in our mailing list: http://lists.pfsense.org/pipermail/pfsense-pt/2011-December/000407.html

[] 's
Jack

[marcelloc]

I can help in dansguardian package since i finish mailscanner package.

Do you have 32 and 64 bits version or compilation args you used?

[ZGruk]

The files I posted are from a 32-bit version. I didn't use any compilation arguments. Keep in mind, however, that I didn't compile it in pfSense. I compiled it in FreeBSD and copied the resulting files to pfSense.


---------------------

If you're interested in working on this, we should probably open a thread in the Packages section of the forum.

[marcelloc]

package topic for dansguardian

http://forum.pfsense.org/index.php/topic,43786.msg226796.html#msg226796

[gadams65]

First I need to thank whoever ported Dansguardian to pfSense.  I had been using Dansguardian on IPCop for years and pfSense is such a superior firewall that I was hoping someday that Dansguardian would get ported.

I have created the three NAT rules as mentioned in this post, but it would appear that the https rule is not working.  It blocks all https traffic when I try to go through the firewall transparently without configuring my browser to use a proxy.  If I configure my browser to use a proxy, https filtering seems to work.  My preference is of course to run transparently.  Any ideas?

[marcelloc]

Did you installed dansguardian package for pfsense?

This guide is to install it by hand with no gui.


I'm not sure if https can be used in transparente mode.

proxy WPAD/PAC/auto configuration using dns+dhcp is the best way to configure browsers in a "transparent" way

[gadams65]

Yes I did install the package.  Even with installing through the package I had to add the HTTP and 3128 NAT rules for it to work though.

Okay I'll try forcing browsers to autoconfig using dns+dhcp as you recommend.  Thank you!!

[valshare]

Okay I'll try forcing browsers to autoconfig using dns+dhcp as you recommend.  Thank you!!

Hi gadams65, any news about https and transparent mode?

REgards, Valle

[kryptos]

Thanks for this howto I now have a working filtering. I have a question where is exception IP list located? I tried looking the menu I don't find any. Does it mean I need to configure it manually?

Thanks
Rocel

[kryptos]

Thanks for this howto I now have a working filtering. I have a question where is exception IP list located? I tried looking the menu I don't find any. Does it mean I need to configure it manually?

Thanks
Rocel

[kryptos]

Thanks for this howto I now have a working filtering. I have a question where is exception IP list located? I tried looking the menu I don't find any. Does it mean I need to configure it manually?

Thanks
Rocel