The pfSense Store

Author Topic: Installing the Dansguardian package in PFSense - One user's experience  (Read 60664 times)

0 Members and 1 Guest are viewing this topic.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
Re: Installing the Dansguardian package in PFSense - One user's experience
« Reply #15 on: April 09, 2012, 08:49:07 am »
Quote
Rebooting the PFsense box caused me some odd problems. DG started before Squid and doesn't seem to keep trying to establish a socket with Squid

Exactly the same issue here too.
I normally have to cycle the DG service after bootup.

Not sure quite what's happening here.

Can you check these steps posted on dansguardian topic at packages?
http://forum.pfsense.org/index.php/topic,43786.msg253812.html#msg253812

Offline Chewy

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Installing the Dansguardian package in PFSense - One user's experience
« Reply #16 on: April 09, 2012, 03:21:32 pm »
Checked the thread and this appears to be the same problem as reported by Cino :
Quote
I think the problem I have, dansguardian is starting before squid.


We've had a long weekend in the UK so I did some checking into how the start up tasks are set in BSD. Forgive me if I'm telling you things you already know but it seems BSD uses directives (e.g #PROVIDES) within the start up jobs to create a dependency order. The directives show what a daemon provides and requires, which in turn are used by rcorder to order the job starts.

Marcello uses the directives in the Dansguardian start up job but squid doesn't use them which results in a random start order at best. The way to fix this would be to use the native BSD system consistently but it seems that historically this hasn't been done. I can imagine a work around which alters the "squid.inc" file to copy a template start up script in the same way that Marcello does it and in this squid template include the standard directives hence dictating the start up sequence.  

The other idea I had was to check for squid.sh in /usr/local/etc/rc.d and if it exists start it in the Dansguardian script. Something like this before the code to start DG:

Code: [Select]
if [-e /usr/local/etc/rc.d/squid.sh];
then
     /usr/local/etc/rc.d/squid.sh
     echo "#! /bin/sh" > /usr/local/etc/rc.d/squid.sh
fi

As I mentioned previously, I'm no expert with BSD so if I've got this wrong please do correct me (as much for my education as others).
« Last Edit: April 09, 2012, 03:40:52 pm by Chewy »

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
Re: Installing the Dansguardian package in PFSense - One user's experience
« Reply #17 on: April 09, 2012, 05:24:25 pm »
Thanks Chewy, I'll do some tests and feedback.

Offline chris23

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: Installing the Dansguardian package in PFSense - One user's experience
« Reply #18 on: April 12, 2012, 06:44:49 pm »
yeah, the message I get on reboot is:

Dansguardian no process found
Dansguardian no process found
Dansguardian no process found

I just start or restart it once boot is complete and all is OK.
No biggee, but slightly annoying.

Thanks and wouldn't be without it....

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
Re: Installing the Dansguardian package in PFSense - One user's experience
« Reply #19 on: April 12, 2012, 06:59:19 pm »
I've tested it today on a clean install and dansguardian did worked after reboot.

It still takes 1minute to start but it works.  ???

Offline rjcrowder

  • Sr. Member
  • ****
  • Posts: 430
  • Karma: +1/-0
    • View Profile
Re: Installing the Dansguardian package in PFSense - One user's experience
« Reply #20 on: April 14, 2012, 05:23:26 pm »
Curious to me that it worked for you... I had the same problem - DG wasn't working because it started before Squid. I couldn't figure out how the package manager controlled the order of startup scripts, so I did a little hack. I simply created another startup script called z_fixstartup.sh and placed it in /usr/local/etc/rc.d. Contents of the script is...

#!/bin/sh
# This file was automatically generated
# by the pfSense service handler.

rc_start() {
   /usr/local/sbin/dansguardian -Q
}

rc_stop() {
}

case $1 in
   start)
      rc_start
      ;;
   stop)
      rc_stop
      ;;
   restart)
      rc_stop
      rc_start
      ;;
esac

I had another small issue that someone else might want to be aware of. If you create a NAT rule to autoforward port 80 traffic, this somehow breaks XBox downloads. I had to exclude the IP address of the XBox in the forwarding rule.

Offline Chewy

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Installing the Dansguardian package in PFSense - One user's experience
« Reply #21 on: April 17, 2012, 02:26:12 am »
RJ - Nice fix I'm going to try that one. What I still don't understand though is, as you say, how does the package manager control the start up order ? Is there no consideration to the order designed in to the mechanism ?

Marcello - I don't get it and I'm wonder if it's somehow random ? Does DG sometimes start after Squid or does it sometimes retry the connection, I have no idea, but it's very frustrating particularly when we can't reliably recreate the problem. Your comment about the time taken makes me wonder if I wait longer would the connection between DG and Squid eventually start ?
 
« Last Edit: April 17, 2012, 02:34:23 am by Chewy »

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
Re: Installing the Dansguardian package in PFSense - One user's experience
« Reply #22 on: April 17, 2012, 08:16:15 am »
I don't get it and I'm wonder if it's somehow random ? Does DG sometimes start after Squid or does it sometimes retry the connection, I have no idea, but it's very frustrating particularly when we can't reliably recreate the problem. Your comment about the time taken makes me wonder if I wait longer would the connection between DG and Squid eventually start ?
 
If you check boot-up process, you will see dansguardian taking about a minute to startup. Did you tried to wait boot process finish before trying to connect to dansguardian?

Offline rjcrowder

  • Sr. Member
  • ****
  • Posts: 430
  • Karma: +1/-0
    • View Profile
Re: Installing the Dansguardian package in PFSense - One user's experience
« Reply #23 on: April 17, 2012, 08:56:34 am »
I'll move the startup script somewhere else and try it again... but I'm fairly certain that it was never coming up - or at least not consistently.

This one might be a little off topic, but let me throw out another "feature" idea from something that I originally had working on my IPCop box. I had IPCop running with DG/Squid by using the copplus addon. In addition, found a script that got me started and then made some changes to implement a "Dansguardian Bypass" that would allow you to enter a password and bypass filtering for a time period. It's nice because sometimes DG is overly aggressive in filtering. I don't remember where I got the setup script, but on IPCop it was doing perl CGI to a web server on port 81. It also looks like someone did the same thing with PHP on ClearOS (see http://honestpchelp.com/2011/clearos-dansguardian-accessdenied-php-bypass-script/).

I'm going to play around trying to get it to work on PFSense. However, the forum instructions I found for setting up a web server required installing a couple packages and mysql (see http://forum.pfsense.org/index.php/topic,47086.msg247364.html#msg247364)... it just seemed a little excessive to me since there's already a web server running for the web interface. Is there an easy way to get a web server instance that supports perl CGI or PHP on another port? Or... better yet, has anyone already implemented the bypass feature?
« Last Edit: April 17, 2012, 09:03:49 am by rjcrowder »

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
Re: Installing the Dansguardian package in PFSense - One user's experience
« Reply #24 on: April 17, 2012, 09:20:34 am »
This one might be a little off topic, but let me throw out another "feature" idea from something that I originally had working on my IPCop box. I had IPCop running with DG/Squid by using the copplus addon. In addition, found a script that got me started and then made some changes to implement a "Dansguardian Bypass" that would allow you to enter a password and bypass filtering for a time period. It's nice because sometimes DG is overly aggressive in filtering. I don't remember where I got the setup script, but on IPCop it was doing perl CGI to a web server on port 81. It also looks like someone did the same thing with PHP on ClearOS (see http://honestpchelp.com/2011/clearos-dansguardian-accessdenied-php-bypass-script/).
It's a dansguardian feature, but I did not included on gui. check dansguardian.conf to see the secret.

I'm going to play around trying to get it to work on PFSense. However, the forum instructions I found for setting up a web server required installing a couple packages and mysql (see http://forum.pfsense.org/index.php/topic,47086.msg247364.html#msg247364)... it just seemed a little excessive to me since there's already a web server running for the web interface. Is there an easy way to get a web server instance that supports perl CGI or PHP on another port? Or... better yet, has anyone already implemented the bypass feature?
I'll test it this week.

Offline Chewy

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Installing the Dansguardian package in PFSense - One user's experience
« Reply #25 on: April 18, 2012, 06:58:23 am »
Quote
Or... better yet, has anyone already implemented the bypass feature?

I'm in the same position having come from Smoothwall where I had this feature working. Exactly as you say, DG can be a little harsh at times so I simply implemented the "Bypass Button" which gave access for 10 minutes and then reset. Mine wasn't as sophisticated as a userid and password since my filtering is only to provide a warning almost, I'm not really trying to ban my daughters from anything on the net, I'm just trying to stop them accessing stuff accidentally that they probably don't want (and of course remove adverts and such).

But anyway, I'm rambling on, if you do get that feature working I'd be really interested in how you've done it for this implementation with PFsense.
« Last Edit: April 18, 2012, 07:01:51 am by Chewy »

Offline rjcrowder

  • Sr. Member
  • ****
  • Posts: 430
  • Karma: +1/-0
    • View Profile
Re: Installing the Dansguardian package in PFSense - One user's experience
« Reply #26 on: April 18, 2012, 09:38:53 am »
Dansguardian override works like a champ... Here is what I did.

1. Installed the vhosts package.
I had one minor issue with this. The service status page doesn't seem to correctly display the fact that it is running. I found a workaround on the forums to fix it http://forum.pfsense.org/index.php/topic,33804.0.html.

2. Followed the instructions for setting up the override page from here http://honestpchelp.com/2011/clearos-dansguardian-accessdenied-php-bypass-script/.
This was pretty straight forward, I just had to change the directories to be appropriate to the light http web server. For example, I put the accessdenied.php file in the directory /usr/local/vhosts/vhost01.local/. Of course, I also had to change the URL's to be appropriate to my box and port. I put the password text file in /var/etc/.

Offline rjcrowder

  • Sr. Member
  • ****
  • Posts: 430
  • Karma: +1/-0
    • View Profile
Re: Installing the Dansguardian package in PFSense - One user's experience
« Reply #27 on: April 19, 2012, 07:23:35 am »
On a related note... It did not work when I tried booting without the script to restart dansguardian at the end of the bootup. Without the script it appears that dansguardian starts up, squid starts after and then dansg eventually shuts down.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
Re: Installing the Dansguardian package in PFSense - One user's experience
« Reply #28 on: April 19, 2012, 07:33:09 am »
I could not reproduce this issue but I'll include on dansguardian gui an option to force squid startup before dansguardian.

Offline rjcrowder

  • Sr. Member
  • ****
  • Posts: 430
  • Karma: +1/-0
    • View Profile
Re: Installing the Dansguardian package in PFSense - One user's experience
« Reply #29 on: April 19, 2012, 11:13:17 am »
This one might be a little off topic, but let me throw out another "feature" idea from something that I originally had working on my IPCop box. I had IPCop running with DG/Squid by using the copplus addon. In addition, found a script that got me started and then made some changes to implement a "Dansguardian Bypass" that would allow you to enter a password and bypass filtering for a time period. It's nice because sometimes DG is overly aggressive in filtering. I don't remember where I got the setup script, but on IPCop it was doing perl CGI to a web server on port 81. It also looks like someone did the same thing with PHP on ClearOS (see http://honestpchelp.com/2011/clearos-dansguardian-accessdenied-php-bypass-script/).
It's a dansguardian feature, but I did not included on gui. check dansguardian.conf to see the secret.

I'm going to play around trying to get it to work on PFSense. However, the forum instructions I found for setting up a web server required installing a couple packages and mysql (see http://forum.pfsense.org/index.php/topic,47086.msg247364.html#msg247364)... it just seemed a little excessive to me since there's already a web server running for the web interface. Is there an easy way to get a web server instance that supports perl CGI or PHP on another port? Or... better yet, has anyone already implemented the bypass feature?
I'll test it this week.

It appears that there is no way to get the GUI to not overwrite my changes when the config is saved (for the access denied php page that I put in place)... Would it be possible to add an option to the GUI so that you can specify a URL for the access denied page rather than having the user supply the HTML page content?