DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 28th September 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Question Dansguardian Issues

A little while ago I installed Dansguardian w/ ClamAV from the OpenBSD 4.5 package. I'm running squid for the proxy all on the same OpenBSD 4.5 system.

The software seems to be 'working' fine with the exception of a few issues I've encountered. Most likely these are configuration errors as apposed to application malfunction. Hoping someone will be able to help!

Issue 1:

I've been trying to have more than one filter group with authentication based on the IP address only. When I run Dans I see the following:

Code:
Filter group out of range; entry 10.10.200.0/255.255.255.0 = LAN in /etc/dansguardian/lists/authplugins/ipgroups
Sep 28 10:49:55 FW002 dansguardian[24093]: Filter group out of range; entry 10.10.200.0/255.255.255.0 = LAN in /etc/dansguardian/lists/authplugins/ipgroups
Configuration files (relevant)

Standard dansguardian.conf
Code:
# Filter groups options
# filtergroups sets the number of filter groups. A filter group is a set of cont
# filtering options you can apply to a group of users.  The value must be 1 or m
# DansGuardian will automatically look for dansguardianfN.conf where N is the fi
# group.  To assign users to groups use the filtergroupslist option.  All users
# to filter group 1.  You must have some sort of authentication to be able to ma
# to a group.  The more filter groups the more copies of the lists will be in RA
# use as few as possible.
filtergroups = 2
filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
/etc/dansguardian/lists/filtergroupslist
Code:
/etc/dansguardian/lists/filtergroupslist

user1=WIRELESS
user2=LAN
/etc/dansguardian/lists/authplugins/ipgroups
Code:
#10.10.200.0/255.255.255.0 = LAN
#10.10.220.0/255.255.255.0 = WIRELESS

10.10.200.2-10.10.200.254 = LAN
10.10.220.1-10.10.210.254 = WIRELESS
I've tried using different combination's to specify the IP range as shown above.

Any idea how to make Dans except the IP range?

Issue 2:

Regarding the AD blocking. How can I specify a custom list to be treated as an AD list. I would like to make use of replacing images with the replacement image provided with Dans. Currently I seem to only be able to block using my "denied page" which technically works but I'd prefer to just see nothing at all.

Code:
# Banned image replacement
# Images that are banned due to domain/url/etc reasons including those
# in the adverts blacklists can be replaced by an image.  This will,
# for example, hide images from advert sites and remove broken image
# icons from banned domains.
# 0 = off
# 1 = on (default)
usecustombannedimage = 1
custombannedimagefile = '/usr/local/share/dansguardian/transparent1x1.gif'
Issue 3:

Not sure if this is an issue. However I see prompts about ClamAV when I start Dans. Should I upgrade or will this cause compatibility issues?

Code:
LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
LibClamAV Warning: ***********************************************************
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.     ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
LibClamAV Warning: ***********************************************************
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.     ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
If I've missed some configs please let me know.

Any help/suggestions would be greatly appreciated.
Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 28th September 2009
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 699
Thanked 90 Times in 81 Posts
Default

DansGuardian doesn't support IP ranges. You need 1 line per IP in the groups config file. Same as for usernames.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #3   (View Single Post)  
Old 28th September 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Thanks for the reply.

How come the examples show ranges?

Code:
# IP-Group list
# Used by the IP-based auth plugin to assign IP addresses to filter groups.
#
# Examples:
# Straight IP matching:
#192.168.0.1 = filter1
# Subnet matching:
#192.168.1.0/255.255.255.0 = filter1
# Range matching:
#192.168.1.0-192.168.1.255 = filter1
Reply With Quote
  #4   (View Single Post)  
Old 28th September 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

To update further.

I tried a sample config of 50 IP's per group.

Code:
10.10.200.2 = LAN
10.10.200.3 = LAN
10.10.200.4 = LAN
...

10.10.200.50 = LAN
Same results except now I have one error per IP.

Code:
Filter group out of range; entry 10.10.200.41 = LAN in /etc/dansguardian/lists/authplugins/ipgroups
Sep 28 16:05:00 FW002 dansguardian[7128]: Filter group out of range; entry 10.10.200.41 = LAN in / ...

Sep 28 16:05:01 FW002 dansguardian[7128]: Auth plugin init returned warning value: 1
Any ideas?

Thanks!
Reply With Quote
  #5   (View Single Post)  
Old 28th September 2009
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 699
Thanked 90 Times in 81 Posts
Default

Quote:
Originally Posted by plexter View Post
Thanks for the reply.

How come the examples show ranges?
Oh, cool, I guess they added that recently. Last time I checked, it didn't support IP ranges.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #6   (View Single Post)  
Old 7th July 2010
nickelodeum nickelodeum is offline
New User
 
Join Date: Jul 2010
Posts: 1
Thanked 0 Times in 0 Posts
Default

Solved:
Hi, I can see that this issue is due to use groups name, if you don't use the groupname option next #groupname='' , it works properly, just use the name filter1, filter2, etc, in each dansguardianf#.conf file just comment the groupname='' line.
Don't forget assign in ../authplugins/ipgroups file the default filter name filter1,filter2 etc, to the respective subnet segment like this:

#Write like this in ipgroups file

192.168.60.0/255.255.255.0 = filter1
192.168.61.0/255.255.255.0 = filter2
192.168.62.0/255.255.255.0 = filter3

try restart dnasguardian with: dansguardian -Q
and good luck.

I solved this issue this way.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange issues with 7.2 DNAeon FreeBSD General 5 26th September 2009 11:19 AM
Set Of gnome issues jaideep_jdof NetBSD General 13 17th September 2009 06:39 AM
mounting issues??? mt85m FreeBSD General 19 17th July 2008 07:58 PM
KVM issues lil_elvis2000 FreeBSD General 5 9th June 2008 07:55 PM
Sendmail, issues... pcfxer FreeBSD General 2 8th May 2008 10:07 AM


All times are GMT. The time now is 02:29 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick