Trying to implement SSLMITM filtering with e2guardian

1,171 views
Skip to first unread message

Stanford Prescott

unread,
Oct 17, 2014, 5:46:47 PM10/17/14
to e2gua...@googlegroups.com
I do a lot of work with the Smoothwall Express firewall and have created a "mod" for SWE that allows Squid 3.3.x to filter SSL connections. I have also included e2guardian with the mod. Currently e2guardian only filters HTTP but I would like to enable HTTPS filtering, as well.

I followed the steps from another thread here:

1. Added #define _SSLMITM to the dansguardian.h config file

2. Added the SWE distro's ssl lib path to the LIBS= directive in src/Makefile.
     -I don't know if I did this one correctly. Smoothwall's ssl library is located in /usr/lib/ssl. The LIBS line in the Makefile looks like this LIBS= -lz /usr/lib/ssl: Is this correct?

Currently, in the e2guardian.conf file the filterip line is blank to filter all IPs: filterip = . The filterports line has e2guardian listening for HTTP requests on port 8080: filterports = 8080. with an iptables rule that redirects port 80 to 8080 when e2guardian is enabled. What additional IPs and/or ports to I need to add to the e2guardian.conf file to tell e2guardian to also filter SSL port 443 traffic? Do I just add another ffilterports line, such as filterports = 8081 with a separate iptables rule to redirect port 443 to 8081?

Thank you.

Stan

Philip

unread,
Oct 22, 2014, 6:24:35 AM10/22/14
to e2gua...@googlegroups.com

Hi Stan,

Currently e2guardian (as in dg) will only filter SSL when proxy is explicitly set in the browser.

If you want to try the MITM mode then you will need to use the latest development release.

  1. Add both   #define __SSLMITM and #define __SSLCERT to the dgconfig.h file
  2. Normally the LIBS line in Makefile will work with   LIBS= -lz -lcrypto -lssl
In  proxy mode you can just use the same port as used for html.

As posted before, I am currently working on the MITM code.
Firstly we plan to get the MITM code working correctly with the explicit proxy method and put that into a development release.
Once that and some other bug-fix work is complete we will then look at making transparent SSL filtering work both with and without MITM.

Note: I would recommend that where ever possible you set the e2guardian proxy in the browser, either manualy or automatically, as transparent filtering just cannot cover all the protocols and ports than can be handled with a defined proxy.   This applies even if you do have a transparent set-up.

Regards
Philip

Stanford Prescott

unread,
Oct 22, 2014, 7:13:15 PM10/22/14
to e2gua...@googlegroups.com
Thank you for the reply, Philip. I will try what you suggest and look forward to trying out the completed MITM for e2guardian in the future.

Philip

unread,
Dec 16, 2014, 6:48:56 AM12/16/14
to e2gua...@googlegroups.com
Development version v3.1.1 with support for explicit SSL MITM is now available at  https://github.com/e2guardian/e2guardian/releases/tag/v3.1.1


Reply all
Reply to author
Forward
0 new messages