Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
e2guardian setup
« previous
next »
Print
Pages: [
1
]
Author
Topic: e2guardian setup (Read 21083 times)
abel408
Newbie
Posts: 35
Karma: 1
e2guardian setup
«
on:
June 28, 2016, 09:41:26 pm »
Hello all!
I'm trying out OPNsense for use at a school. Our current content filtering is done by Dansguardian. e2guardian is the new fork. I'm done some searches and saw the e2guardian has been requested before. I'm looking for a guide on how to set it up with OPNsense.
Here are the 2 previous forum posts about e2guardian:
https://forum.opnsense.org/index.php?topic=364.0
https://forum.opnsense.org/index.php?topic=1551.0
Franco says that "pkg add e2guardian" should bring it to the system, but it does not on version 16.1.17
I've installed it with this command:
pkg add
http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/e2guardian-3.0.4_1.txz
I've also found a port for e2guardian here:
https://github.com/opnsense/ports/tree/master/www/e2guardian
But I'm not sure what to do from here. I don't see any lists or config files. Here are instructions on how to manually install it to pfsense:
http://knes1.github.io/blog/2015/2015-07-18-manually-installing-e2guardian-to-pfsense.html
Any way we could bring this to the gui? If not, how can I configure it? Where are the config files located?
Logged
franco
Administrator
Hero Member
Posts: 17485
Karma: 1589
Re: e2guardian setup
«
Reply #1 on:
June 29, 2016, 07:37:33 am »
Hi abel,
The dans/e2 path has been abandoned with 16.1 as we've added remote list management to the proxy server itself. It works on URL files, compressed or uncompressed and can select specific categories / files within compressed files if the full file is not appropriate for your use case.
Here's our web filter tutorial:
https://docs.opnsense.org/manual/how-tos/proxywebfilter.html
Cheers,
Franco
Logged
abel408
Newbie
Posts: 35
Karma: 1
Re: e2guardian setup
«
Reply #2 on:
June 29, 2016, 05:07:27 pm »
Thanks Franco,
A couple questions... I've set this up already. Is this just squid? Does it inspect content? Is there a way to add a url that might not be included in these lists?
Also, is there anyway to filter SSL without implementing a mitm CA? Not looking to inspect content of ssl pages, but it would be nice to block known explicit https web sites. My goal is to create just a transparent filter without installing a private CA to all browsers.
Thanks again!
«
Last Edit: June 29, 2016, 05:11:13 pm by abel408
»
Logged
franco
Administrator
Hero Member
Posts: 17485
Karma: 1589
Re: e2guardian setup
«
Reply #3 on:
June 29, 2016, 07:19:06 pm »
Hi abel,
You're welcome.
Yes, just squid with a bit of automated management.
Under Forward Proxy tab, sub-tab Access Control Lists you can add:
o Allowed Subnets
o Unrestricted IP addresses
o Banned host IP addresses
o Whitelist
o Blacklist
Where the whitelists or blacklist is probably what you want. See the help text for further details. You can put e.g. your hostnames there.
And you can filter SSL in OPNsense without MITM using:
o Appropriate alias files for hosts/IP firewall block rules on e.g. port 443 (Firewall: Aliases: Import)
o Intrusion detection in prevention mode (inline) with the help of SSL fingerprinting (Services: Intrusion Detection)
There is also a way to use the hostname from the SSL certificate (also using Intrusion Detection), but I don't think this was implemented yet.
Cheers,
Franco
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: e2guardian setup
«
Reply #4 on:
June 30, 2016, 10:41:10 am »
Just to add another option: ICAP
If you do not use a CA, you will get at leaset the CONNECT requests from the proxy and it is possible to modify them.
You can use ICAP to filter content but I would not recommend it to be used as a simple URL filter as it would be a bit overpowered for this use case and squid does already provide that (see Franco's post for information about how to do that in OPNsense).
Logged
abel408
Newbie
Posts: 35
Karma: 1
Re: e2guardian setup
«
Reply #5 on:
June 30, 2016, 10:07:02 pm »
Thanks for the help guys.
In the past, we've always used an ICAP filter to inspect content (dansguardian), but perhaps squid with a good url filter list would be sufficient for us. We find that dansguardian blocks more acceptable content than unacceptable content anyway.
I had a question about SSL filtering without a MITM CA. I'm a little confused about intrusion detection. I've enabled it in services and enabled IPS mode, but I'm not sure how the rules work. For example, if I wanted to block a certain youtube video, but not youtube.com itself, how would I go about doing that? Youtube, of course, is HTTPS...
Logged
abel408
Newbie
Posts: 35
Karma: 1
Re: e2guardian setup
«
Reply #6 on:
July 06, 2016, 08:11:23 pm »
Any advice on the SSL URL Filter?
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: e2guardian setup
«
Reply #7 on:
July 06, 2016, 10:20:40 pm »
You cannot see the URL when the user is using TLS because it is part of the request line:
https://tools.ietf.org/html/rfc2616#section-5.1
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
e2guardian setup