[pfSense] [pfsense] dansguardian

Ryan Rodrigue Radiotech1 at aaremail.com
Thu Apr 26 18:23:56 EDT 2012 

Mine is up and running, but I have to manually put the dansguardian port in
the web browser as a proxy server.  I do not have it working for transparent
squid

As you can see, most of the settings are default.

These are the Dansguardian settings. (I hope you can read this).

Daemon

Listening Settings
Enable dansguardian 
I agree with dansguardian Terms and Conditions.
<http://dansguardian.org/?page=copyright2>  Listen Interface(s) 
Default: LAN/loopback
Select interface(s) that you want to dansguardian listen on. Listen port 
Default: 8080
The port(s) that DansGuardian listens to. Daemon Options 
Daemon Options. Default values are in ( ) Min/Max Children 
Default: 8/120
Sets the minimun and maximum number of processes to spawn to handle the
incoming connections.
Max value usually 250 depending on OS.
On large sites you might want to try 32/180. Min/Max Spare Children 
Default: 4/32
Sets the minimum and maximun number of processes to be kept ready to handle
connections.
On large sites you might want to try 8/64. Prefork Children 
sets the minimum number of processes to spawn when it runs out
On large sites you might want to try 10 Max Age Children 
Default: 500
Sets the maximum age of a child process before it croaks it.
This is the number of connections they handle before exiting.
On large sites you might want to try 10000. Max Ips 
Default: 0
Sets the maximum number client IP addresses allowed to connect at once.
Use this to set a hard limit on the number of users allowed to concurrently
browse the web. Set to 0 for no limit, and to disable the IP cache process.
Parent proxy Settings
Proxy IP 
Default: 127.0.0.1
Sets ip address for proxy server(usually squid). Proxy Port 
Default: 3128
Sets port number for proxy serve

 

General

Config Settings
Auth Plugins 
This option handle the extraction of client usernames from various sources,
such as Proxy-Authorisation headers and ident servers, enabling requests to
be handled according to the settings of the user's filter group Scan Options

Scan options. Default values are in ( ) Weighted phrase mode 
IMPORTANT: Note that setting this to "0" turns off all features which
extract phrases from page content, including banned & exception phrases (not
just weighted), search term filtering, and scanning for links to banned
URLs. Lower casing options 
When a document is scanned the uppercase letters are converted to lower case
in order to compare them with the phrases.
However this can break Big5 and other 16-bit texts. If needed preserve the
case. Phrase filter mode 
Smart, Raw and Meta/Title phrase content filtering options
Smart is where the multiple spaces and HTML are removed before phrase
filtering
Raw is where the raw HTML including meta tags are phrase filtered
Meta/Title is where only meta and title tags are phrase filtered (v. quick)
CPU usage can be effectively halved by using setting 0 or 1 compared to 2
Url cache number 
Positive (clean) result caching for URLs Caches good pages so they don't
need to be scanned again.It also works with AV plugins.
0 = off (recommended for ISPs with users with disimilar browsing)
1000 = recommended for most user
5000 = suggested max upper limit
If you're using an AV plugin then use at least 5000. Url cache age 
Age before cache are stale and should be ignored in seconds
900 = 15 mins(recommended)
0 = never  SSL man in the middle Filtering
CA Warning: Invalid argument supplied for foreach() in
/usr/local/www/pkg_edit.php on line 560 
Select Certificate Authority to use when SSL filtering is enabled on Group
options
To create a CA on pfsense, go to system -> Cert Manager Cert 
Select Certificate pair to use when SSL filtering is enabled on Group
options
To create a Certificate on pfsense, go to system -> Cert Manager  Content
Scanner
Content Scanners (antivirus) 
Content Scanners options. Default values are in ( ) freshclam frequency 
Default:Every day
Select how often pfsense will update clamd virus database Content scanner
timeout 
Default is 60
Some of the content scanners support using a timeout value to stop
processing (eg AV scanning) the file if it takes too long.
If supported this will be used.
The default of 60 seconds is probably reasonable. Content scan exceptions 
If 'on' exception sites, urls, users etc will be scanned.
This is probably not desirable behavour as exceptions are supposed to be
trusted and will increase load.
Correct use of grey lists are a better idea. ICAP URL 
Enter ICAP URL in icap://icapserver:1344/avscan format
Use hostname rather than IP address and Always specify the port  Misc
settings
Misc Options 
Misc options. Default values are in ( )

 

 

 

 

 

In squid from top to bottom I have selected (squid won't paiste for some
reason)

 

Proxy Interface: LAN and Loopback

Allow users = checked

Blank until Enable Logging

Enable logging = checked

Log store = /var/squid/logs

Log rotate = 90

Proxy port = 3128

ICP port = (blank)

Visible hostname = localhost

Anministrator email = admin at localhost

Language = English

X-Forward = no check

Disable Via = no check

Strip

The rest is blank

 

 

Upstream Proxy is totally blank and I am using no authentication for now.

 

 

This may not be the best settings.  If anyone has any suggestion, please let
me know.  I always look for ways to do things better.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pfsense.org/pipermail/list/attachments/20120426/95361e8d/attachment-0001.html>

More information about the List mailing list