2015. június 11., csütörtök

Pfsense, Transparent Squid and Dansguardian - a piece of crap

How to set up a transparent Squid (here: http only) proxy with an advanced level security filtering add-in for your local network ?

What is Pfsense? What is a proxy? If you don't know the answer to these questions this is not for you.

1. Install Pfsense
2. Set up your interfaces, default gateway, DNS resolvers or forwarders, etc.
3. Install Squid3 and Dansguardian (at the time of this writing Squidguard is broken in recent Pfsense and won't work with Squid3. In systemlog we can see lots of:
squid[81808]: Squid Parent: (squid-1) process 45089 exited with status 1
squid[81808]: Squid Parent: (squid-1) process 63729 started
(squid-1): The redirector helpers are crashing too rapidly, need help!
and in cache.log:
Shared object "libldap-2.4.so.2" not found, required by "squidGuard"
Shared object "libldap-2.4.so.2" not found, required by "squidGuard"
Shared object "libldap-2.4.so.2" not found, required by "squidGuard"
kid1| WARNING: redirector #Hlpr0 exited
FATAL: The redirector helpers are crashing too rapidly, need help!
Of course we have libldap-2.4.so.2 is right there, in /usr/pbi/squidguard-devel-amd64/lib/libldap-2.4.so.8. So after some hours of struggling I decided to give squidGuard up and switch further. Dansguardian is a more advanced and complex filter system anyway.

4. Setup your (transparent) Squid, for example:
5. Setup your Dansguardian

Remember to edit your regexp URL filters because the default ones will surely block some nice part of your harmless favourite pages. In the log (did you turn logging on?) search for:
[2.2.2-RELEASE][admin@my.proxy.local]/var/log/dansguardian: grep DENIED access.log

6. You need an additional port forwarding rule to get it go because, as you can see, Dansguardian listens only on TCP 8080. Pay attention on the Destination address: you should not access Pfsense via Dansguardian. If Dansguardian dies for whatever reason (this happens frequently if you want to upgrade it manually, yeah I've permanently killed it several times in my lab), you won't be able te reach the default webadmin interface. If you use SquidGuard this step is not required because Squid creates its "hidden" firewall rule and SquidGuard does not use any TCP port as DG does.

That's all. If you don't have any blocking firewall rule, your advanced (but not-yet-fine-tuned!) HTTP proxy system works now.

UPDATE: actualy, it does not. Another irritating, ugly, hideous bug here. It's 2015 and this bug still exists for more than 2 years, still in the latest stable release: *DENIED* Web upload is banned.
I've tried these recompiled binaries, written in this forum thread, but after three days of digging deep, I could say that more problems encountered that solved. I'm too pissed off to detail all the hacks I've done.
If anyone asked me if he could give pfsense a try I would say: DO NOT. NEVER. 
YOU SHOULD AVOID using PFSENSE.  Latest "stable" is an ANNOYING, unthinkably BUGGY system, mindlessly designed GUI, full of outdated, incompatible and deprecated packages - what's more, its whole package managing system is broken or, if you are lucky enough, "just" failing - and if packages somehow accidentaly work with each other, pray everyday for the Lord to keep this thing in such a working condition and never think about any system update! I can't imagine that Pfsense is in production use by anyone. How could a sysadmin be so fearless? Looking back to the far past I admit that Pfsense was a great software. But this is the case no more.
I wish I could get these days back of my life wasted on this piece of sh*. More to come in this topic.

1 megjegyzés:

  1. We are the worlds leading publisher of Squid 'Native ACL' formatted blacklists, that allow for web filtering directly with Squid proxy. Of course we also offer alternative formats for the most widely used third party plugins, such as DansGuardian and Squidguard. And while our blacklists are subscription based, they are as a result of our efforts, of a much higher degree of quality than the free alternatives.

    We hope to serve you,


    Benjamin E. Nichols