Topic: Dansguardian port redirect and blocking

[bas]

I've got dansguardian configured by the DG contrib.
Somehow I can't seem to get all settings right.
Port 80 redirect to 8080 doesn't function, so browsers configured to autodetect the proxy find the proxy on port 80 and passes by the DG filter.
Port 3128 is blocked, personaly i don't care about this but colleuges use this frequently to do what they shouldn't.

Can someone post which db setting i'll have to check or set?

I've worked around this problem by setting a policy to use the proxy.
This works for all our own workstations/servers. I can't force policies for 3rd parties that do maintainance therefore i'v chanced the default gateway so they will have to ask for settings in order to download software.
Good thing about this is that i know who uses the internet and they can only download work related files. Bad thing about this is that other SME servers can't download their updates. Because they haven't got a gateway.

Is there a way to set a proxy and port for an SME server to use?

thanks, Bas

[stephen noble]

Is there a way to set a proxy and port for an SME server to use?

I use http://wiki.contribs.org/Firewall#Bypass_Proxy

another way would be to configure yum on the client server to use the proxy
http://bugs.contribs.org/show_bug.cgi?id=542

[axessit]

From the dansguardian wiki:

1) Configure your SME Server to use Transparent Proxy port 8080 and to block direct access to the squid proxy port 3128 & redirect port 80 to port 8080

Note the functionality to create the required custom firewall rules using iptables is built in to the smeserver-dansguardian and is configured with the following commands

config setprop squid TransparentPort 8080
config setprop dansguardian portblocking yes
signal-event post-upgrade; signal-event reboot

2) Configure your workstation web browser to auto detect proxy port

Go to your workstation and open your browser eg Internet Explorer or Firefox or your preferred browser

Change the settings for Connections to LAN

Select Auto detect proxy

Or alternatively use the server IP 192.168.1.1 (or whatever yours is) and use a port of 8080

[Knuddi]

Just installed DG and it seems to work just fine as long as I configure the browser to auto-detect proxy. I would like to ensure that despite what is configured in the individual browsers all go through DG. Going through DG must not be bypassed by a smart guy in the office. So how do I ensure that all port 80 (HTTP) requests all redirected via DG?

Obviously I have already do as the Wiki states:

Code: [Select]

config setprop squid TransparentPort 8080
config setprop dansguardian portblocking yes
signal-event post-upgrade; signal-event reboot
I do not run with authentication right now.

Suggestions?

[janet]

Knuddi

Just installed DG and it seems to work just fine as long as I configure the browser to auto-detect proxy....... So how do I ensure that all port 80 (HTTP) requests all redirected via DG?
config setprop squid TransparentPort 8080
config setprop dansguardian portblocking yes
signal-event post-upgrade; signal-event reboot

Those commands should have forced all access to the proxy via port 8080.
Are you saying that you can still get unfiltered access via port 80 or 3128 ?

Have you made other changes that can affect functionality eg
disabled Transparent Proxy using these commands
config setprop squid Transparent no
expand-template /etc/squid/squid.conf
sv t /service/squid

I believe I read that with the Transparent Proxy disabled, users can bypass DG (thus the implied need for one form of authentiation).
ie as per this note in the Howto
If you disable the Transparent Proxy feature of SME Server, Dansguardian can be bypassed at will by your users. You should keep the Transparent Proxy enabled (but configured as above) for filtering to work.
http://wiki.contribs.org/Dansguardian

Search the forums for details.

[Knuddi]

Yes, I am saying that I can get unfiltered access via port 80. I have not disabled the transparency but when checking the Wiki I can see that its never actively enabled either..See output from DB:

Code: [Select]

09:36:15 root@mail ~@Home]config show dansguardian
dansguardian=service
    portblocking=yes
    status=enabled

Code: [Select]

09:36:26 root@mail ~@Home]config show squid
squid=service
    EnforceSafePorts=no
    SafePorts=21,70,80,81,119,210,443,563,980,1024-65535
    TCPPort=3128
    TCPProxyPort=80:3128
    Transparent=no
    TransparentPort=8080
    access=private
    status=enabled
The Wiki states the following is needed:

Code: [Select]

config setprop squid TransparentPort 8080
config setprop dansguardian portblocking yes
signal-event post-upgrade; signal-event reboot
But I guess a:

Code: [Select]

config setprop squid Transparent yes
expand-template /etc/squid/squid.conf
sv t /service/squid

is also needed. I will give that a go when I get home later today.





 

[janet]

Knuddi

The dansguardian settings look normal.
Keep in mind that the default value is set (as determined by the code in the templates) when there is no db entry.

config show squid
squid=service
    Transparent=no

As I anticipated your setting in wrong.
Change it to yes as per db commands already referred to ie

Code: [Select]

config setprop squid Transparent yes
expand-template /etc/squid/squid.conf
sv t /service/squid


[Knuddi]

Unfortunately this didn't do the job. My firefox which has been configured with "no proxy" goes right through unfiltered.

Code: [Select]

21:07:32 root@mail ~@Home]config setprop squid Transparent yes

21:07:49 root@mail ~@Home]expand-template /etc/squid/squid.conf

21:07:57 root@mail ~@Home]sv t /service/squid

21:08:02 root@mail ~@Home]config show dansguardian
dansguardian=service
    portblocking=yes
    status=enabled

21:24:59 root@mail ~@Home]config show squid
squid=service
    EnforceSafePorts=no
    SafePorts=21,70,80,81,119,210,443,563,980,1024-65535
    TCPPort=3128
    TCPProxyPort=80:3128
    Transparent=yes
    TransparentPort=8080
    access=private
    status=enabled

21:25:07 root@mail ~@Home]/etc/init.d/dansguardian restart
Shutting down dansguardian:                                [ OK ]
Starting dansguardian:                                     [ OK ]

Any other good suggestions I can try? To me this looks like a IPTables issue where port 80 is not redirected to 8080 where DG resides.

[janet]

Knuddi

What is your general network arrangement ?
Are you only using one sme server and is it in server gateway mode ?
Is it the proxy server for your network ?

Do you have other "adjustments" made to firewall rules or anything else that may affect the issue ?

What versions of the dansguardian rpms are you using ?

[stephen noble]

Are you going through 8080 but filtering just hasn't been enabled
check /var/log/dansguardian/access

[Knuddi]

I have two browsers installed on same PC (IE and FF). I check filtering via the log you propose only and see that IE (which uses proxy) is filtered and FF which goes direct is not.

ex.

Code: [Select]

2009.4.16 7:50:14       -       192.168.212.244 http://forums.contribs.org/index.php?action=post;topic=43235.0;num_replies=9    *SCANNED*       GET     62834

[Knuddi]

My suspicion seemed correct - port 80 outgoing was not sent to DG (port 8080). Using this iptables command I got all data via DG (my LAN is 212.x/24).

Code: [Select]

iptables -t nat -I PREROUTING ! -i eth1 -p tcp -s 192.168.212.0/24 --dport 80 -j REDIRECT --to-ports 8080
I thought this was a part of the smeserver-dansguardian package to set this up?

[janet]

Knuddi
 

I thought this was a part of the smeserver-dansguardian package to set this up?

What version rpms are you using ?

[Knuddi]

smeserver-dansguardian-2.9-5.el4.sme
dansguardian-2.10.0.3-4.el4.sme

Which were the latest I got from smecontribs repository

[Knuddi]

I can see that I am not the only one seeing this problem..

http://bugs.contribs.org/show_bug.cgi?id=4820

Wonder whether Mr. Noble has plan to fix the package?