Topic: Has anyone gotten Dansguardian to work transparently ?

[radbrad]

I have read so many posts going back 3+ years and have yet to see a solution. I have read the famous Ray's how to but, I have to say it leaves a whold bunch of holes....

But almost every post point to it?

Why is it so difficult to make SME redirect ports 80/3128 to 8080 where Dansguardian lives.

I have dansguardian working on port 8080, but I have laptop users who would have to change their browser setting every time they came to work? It needs to be transparent.

Has anyone fixed this problem?

Please help the multitudes of folks out here who are trying to solve this...

Cheers
Radbrad

[raem]

radbrad

You want a specific answer but there is no answer yet provided by anyone.
I have asked many times and usually feedback stops before definitive answers are given. The Howto only exists because I spent many hours reading the old posts and gathering together the bits & pieces and testing it all out.
If it's a must have requirement on your part then purchase the commercial version from dungog.
Otherwise work out the code and post your results back here to the forums.
It can easily be added to a Howto then & be available for all to use, as you wish it to be.

By default dansguardian works on port 8080.

Do you have your sme server Transparent port set ? ie

db configuration setprop squid TransparentPort 8080
signal-event post-upgrade
signal-event reboot

In IE set to Automatically detect settings
In Firefox set to Auto-detect proxy settings for this network

Both those settings should find the sme Transproxy port automatically (which is 8080 if set as above) and therefore all requests will be subject to dansguardian filtering.
Most less knowledgable users will set the port to Auto detect or in Firefox to Auto detect or Connect direct to internet. In both cases only the Auto detect settings will work and that will find the port 8080 which is what the sme server if offering as transproxy port.
 
You don't always need to forcibly redirect port 80 or 3128 unless people are able to, and are deliberately, changing their browser setting to a specific port eg 3128, which in that case dansguardian will be bypassed.
Again many less knowledgable users will not even be aware to use port 3128.

It depends on the security model (& settings) you have in place for workstations. If users cannot change browser settings then there is no way they can force usage to a different port other than 8080.


Do any of the following posts achieve what you want ?

post by funkusmunkus (needs modifying for sme7 so he says)
http://forums.contribs.org/index.php?topic=26445.0

and this one by pietdejong (although it might need some more work too)
http://forums.contribs.org/index.php?topic=23517.0

and perhaps the eaiest & most promising by cheezeweeze
http://forums.contribs.org/index.php?topic=33775.msg144673#msg144673

Further to that are these custom template fragments which have not been tested by me, but may give you sufficient clues re how to do it.
They WILL NEED modification, as they call up non existent dbs etc.
I believe they may have come from an earlier dungog release.

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/contribs/dansguardian/templates/masq/


If you do develop/discover a specific answer, please post it back here and your method can be added to the Howto & be useful to others.

[radbrad]

What I did is login to SME. Go to port forwarding. I forwarded Port 80 to port 8080, using the IP address of 127.0.0.1.

I did the same thing for port 3124. Works like a dream. Dansguardian works perfectly now with no messing with any browser. I can leave the autodetect proxy checked and it always works.

For an FYI anyone who reads this. Have to release then renew my ip while working on this to test.

I am sure there is some problem with this approach, but it works on my test server.

Radbrad

[byte]

Moving this topic to the SME 7.x contribs forum, it is more appropriate there. Thanks!

[radbrad]

I wrote down specific instructions, that I planned on posting here. I did a clean install to check my notes. Guess what ? I cannot get it to work. IE 7.0 never picks up the proxy when set to the default (auto detect).
AAAAARRRGGGGGG!

I love sme server and am busy replacing some of my customers W2k3 servers with sme.

I am experimenting with endian firewall, because the content filtering works with the transparent proxy. I was just trying to keep from having to add an extra box to the network. I might just bill my customers an extra $300 and just buy the Dansguardian pro release.

Radbrad

[Stefano]

I was just trying to keep from having to add an extra box to the network. I might just bill my customers an extra $300 and just buy the Dansguardian pro release.

Radbrad

IMVHO you'd separate your users data and firewalling/proxying..

so sme as server, endian/ipcop/whatyouprefer as firewall/proxy/contentfilter

my 2c

Ciao

Stefano

[raem]

radbrad

I'm puzzled that it doesn't work for you.
I have the free dansguardian contrib from dungog working fine on a sme 7.1.3 server using command line control & no GUI & all web access is filtered.
Do you really have it all set up correctly ?

>... IE 7.0 never picks up the proxy when set to the default (auto detect).

You will have the problem you describe if you don't set the Transproxy port on sme, sme will keep offering port 3128 to your browser (set for auto detect proxy) and therefore web browsing will always bypass Dansguardian. Port forwarding (as you describe) is NOT the way to resolve this.

As a minimum you need to set the Transparent port on sme server to port 8080 instead of the default 3128 using the commands given below.
sme will then offer port 8080 to browsers as the proxy port.
If Dansguardian is running and set correctly in the config files to use port 8080 (which it should be by default), then browsing will be filtered.

Other port forwarding or port blocking tweaks are not strictly needed & are optional depending on the control you have or desire to have over your users web browser settings.

Did you set the Transparent port on your sme server ?

db configuration setprop squid TransparentPort 8080
signal-event post-upgrade
signal-event reboot

[radbrad]

Ray, somehow this littel piece of DB update code did it. I now have a working transparent proxy.

In the next couple of days I will put my complete step by step here for all to read.

This is the missing piece of the puzzle...

db configuration setprop squid TransparentPort 8080
signal-event post-upgrade
signal-event reboot

Again, Ray thank you. I hope my step by step helps some of the other folks who are scouring the forum for this info.

Oh, and as I said, if you are in the Bayarea, the beer is on me  

Cheers,
radbrad
Brad Kershaw

[stephen noble]

Rad,

there should be no need for custom templates,
you just need to read the code and choose which db settings to set
this has always been the case with the many hidden settings on SME

hint rpm -ql smeserver-dansguardian

If something isn't working it's a bug, so lodge one

[raem]

radbrad

> Ray, somehow this little piece of DB update code did it. I now have a working transparent proxy.
> This is the missing piece of the puzzle...

You do need to read Howto's carefully & completely.
That code was never missing, it has always been in the Howto.

[raem]

stephen

> you just need to read the code and choose which db settings to set
> hint rpm -ql smeserver-dansguardian

Thank you Stephen, after I spent a little while working it out, that unlocked a lot of things for me, indeed the whole sme server !

Is this correct, looks so to me ? I can't test it until Monday.
config setprop dansguardian portblocking yes
signal-event post-upgrade
reboot

[stephen noble]

yes, in smeserver-dansguardian-2.9-3.el4.sme
this now just blocks 3128

it used to block 80 as well but that stopped a lot of things working and
80 is redirected to 8080 or whatever squid{TranparentPort} is set to

[raem]

radbrad

See the new Howto which includes db commands to configure port blocking

http://wiki.contribs.org/Dansguardian

[radbrad]

I have done a bunch of research on the net, and here and found that most of what I want accomplished can be done with squid. This includes blocking web sites, allowing and disallowing users, blocking sites with words etc. Why this appeals to me is that it is already installed (nothing to install) with sme and alot less acl files to deal with. The Squid transpartent proxy is automatically working at install and it is fast.

I am busy trying to become a squid expert. I am looking for a gui so I dont have to use putty to edit the squid.conf files. I did get webmin to work, but dont know what kind of overhead it requires. Sorry, I am still new to Linux, but learing fast.

[crazybob]

do a search for squidguard. That give you a server manager interface

Bob