Dansguardian - First release

1 files changed, 382 insertions, 0 deletions

diff --git a/config/dansguardian/dansguardianfx.conf.template b/config/dansguardian/dansguardianfx.conf.template
new file mode 100644
index 00000000..cb811e21
--- /dev/null
+++ b/config/dansguardian/dansguardianfx.conf.template
@@ -0,0 +1,382 @@
+<?php 
+/*
+	dansguardianfx.conf.template
+	part of the Dansguardian package for pfSense
+	Copyright (C) 2012 Marcello Coutinho
+	All rights reserved.
+
+	Redistribution and use in source and binary forms, with or without
+	modification, are permitted provided that the following conditions are met:
+
+	1. Redistributions of source code must retain the above copyright notice,
+	   this list of conditions and the following disclaimer.
+
+	2. Redistributions in binary form must reproduce the above copyright
+	   notice, this list of conditions and the following disclaimer in the
+	   documentation and/or other materials provided with the distribution.
+
+	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+	POSSIBILITY OF SUCH DAMAGE.
+
+*/
+
+$dgf= <<<EOF
+# DansGuardian filter group config file for version 2.12.0.0
+
+
+# Filter group mode
+# This option determines whether members of this group have their web access
+# unfiltered, filtered, or banned. This mechanism replaces the "banneduserlist"
+# and "exceptionuserlist" files from previous versions.
+#
+# 0 = banned
+# 1 = filtered
+# 2 = unfiltered (exception)
+#
+# Only filter groups with a mode of 1 need to define phrase, URL, site, extension,
+# mimetype and PICS lists; in other modes, these options are ignored to conserve
+# memory.
+#
+# Defaults to 0 if unspecified.
+# Unauthenticated users are treated as being in the first filter group.
+groupmode = {$dansguardian_groups['mode']}
+
+# Filter group name
+# Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to
+# name the group in the access logs
+# Defaults to empty string
+groupname = '{$dansguardian_groups['name']}'
+
+# Content filtering files location
+bannedphraselist = '/usr/local/etc/dansguardian/lists/weightedphraselist.{$dansguardian_groups['phraseacl']}'
+weightedphraselist = '/usr/local/etc/dansguardian/lists/weightedphraselist.{$dansguardian_groups['phraseacl']}'
+exceptionphraselist = '/usr/local/etc/dansguardian/lists/exceptionphraselist.{$dansguardian_groups['phraseacl']}'
+bannedsitelist = '/usr/local/etc/dansguardian/lists/bannedsitelist.{$dansguardian_groups['siteacl']}'
+greysitelist = '/usr/local/etc/dansguardian/lists/greysitelist.{$dansguardian_groups['siteacl']}'
+exceptionsitelist = '/usr/local/etc/dansguardian/lists/exceptionsitelist.{$dansguardian_groups['siteacl']}'
+bannedurllist = '/usr/local/etc/dansguardian/lists/bannedurllist.{$dansguardian_groups['urlacl']}'
+greyurllist = '/usr/local/etc/dansguardian/lists/greyurllist.{$dansguardian_groups['urlacl']}'
+exceptionurllist = '/usr/local/etc/dansguardian/lists/exceptionurllist.{$dansguardian_groups['urlacl']}'
+exceptionregexpurllist = '/usr/local/etc/dansguardian/lists/exceptionregexpurllist.{$dansguardian_groups['urlacl']}'
+bannedregexpurllist = '/usr/local/etc/dansguardian/lists/bannedregexpurllist.{$dansguardian_groups['urlacl']}'
+picsfile = '/usr/local/etc/dansguardian/lists/{$dansguardian_groups['picsacl']}'
+contentregexplist = '/usr/local/etc/dansguardian/lists/contentregexplist.{$dansguardian_groups['contentacl']}'
+urlregexplist = '/usr/local/etc/dansguardian/lists/urlregexplist.{$dansguardian_groups['urlacl']}'
+
+# Filetype filtering
+#
+# Blanket download blocking
+# If enabled, all files will be blocked, unless they match the
+# exceptionextensionlist or exceptionmimetypelist.
+# These lists do not override virus scanning.
+# Exception lists defined above override all types of filtering, including
+# the blanket download block.
+# Defaults to disabled.
+# (on | off)
+#
+blockdownloads = {$dansguardian_groups['blockdownloads']}
+exceptionextensionlist = '/usr/local/etc/dansguardian/lists/exceptionextensionlist.{$dansguardian_groups['extensionacl']}'
+exceptionmimetypelist = '/usr/local/etc/dansguardian/lists/exceptionmimetypelist.{$dansguardian_groups['extensionacl']}'
+#
+# Use the following lists to block specific kinds of file downloads.
+# The two exception lists above can be used to override these.
+#
+bannedextensionlist = '/usr/local/etc/dansguardian/lists/bannedextensionlist.{$dansguardian_groups['extensionacl']}'
+bannedmimetypelist = '/usr/local/etc/dansguardian/lists/bannedmimetypelist.{$dansguardian_groups['extensionacl']}'
+#
+# In either file filtering mode, the following list can be used to override
+# MIME type & extension blocks for particular domains & URLs (trusted download sites).
+#
+exceptionfilesitelist = '/usr/local/etc/dansguardian/lists/exceptionfilesitelist.{$dansguardian_groups['siteacl']}'
+exceptionfileurllist = '/usr/local/etc/dansguardian/lists/exceptionfileurllist.{$dansguardian_groups['urlacl']}'
+
+# Categorise without blocking:
+# Supply categorised lists here and the category string shall be logged against
+# matching requests, but matching these lists does not perform any filtering
+# action.
+logsitelist = '/usr/local/etc/dansguardian/lists/logsitelist.{$dansguardian_groups['siteacl']}'
+logurllist = '/usr/local/etc/dansguardian/lists/logurllist.{$dansguardian_groups['urlacl']}'
+logregexpurllist = '/usr/local/etc/dansguardian/lists/logregexpurllist.{$dansguardian_groups['urlacl']}'
+
+# Outgoing HTTP header rules:
+# Optional lists for blocking based on, and modification of, outgoing HTTP
+# request headers.  Format for headerregexplist is one modification rule per
+# line, similar to content/URL modifications.  Format for
+# bannedregexpheaderlist is one regular expression per line, with matching
+# headers causing a request to be blocked.
+# Headers are matched/replaced on a line-by-line basis, not as a contiguous
+# block.
+# Use for example, to remove cookies or prevent certain user-agents.
+headerregexplist = '/usr/local/etc/dansguardian/lists/headerregexplist.{$dansguardian_groups['headeracl']}'
+bannedregexpheaderlist = '/usr/local/etc/dansguardian/lists/bannedregexpheaderlist.{$dansguardian_groups['headeracl']}'
+
+# Weighted phrase mode
+# Optional; overrides the weightedphrasemode option in dansguardian.conf
+# for this particular group.  See documentation for supported values in
+# that file.
+weightedphrasemode = {$dansguardian_groups['weightedphrasemode']}
+
+# Naughtiness limit
+# This the limit over which the page will be blocked.  Each weighted phrase is given
+# a value either positive or negative and the values added up.  Phrases to do with
+# good subjects will have negative values, and bad subjects will have positive
+# values.  See the weightedphraselist file for examples.
+# As a guide:
+# 50 is for young children,  100 for old children,  160 for young adults.
+naughtynesslimit = {$dansguardian_groups['naughtynesslimit']}
+
+# Search term blocking
+# Search terms can be extracted from search URLs and filtered using the
+# bannedphraselist, weightedphraselist and exceptionphraselist, with a separate
+# threshold for blocking than that used for normal page content.
+# To do this, the first two options below must be enabled.
+#
+# Search engine regular expression list
+# List of regular expressions for matching search engine URLs.  It is assumed
+# that the search terms themselves will be contained within the first submatch
+# of each expression.
+searchengineregexplist = '/usr/local/etc/dansguardian/lists/searchengineregexplist.{$dansguardian_groups['searchacl']}'
+#
+# Search term limit
+# The limit over which requests will be blocked for containing search terms
+# which match the weightedphraselist.  This should usually be lower than the
+# 'naughtynesslimit' value above, because the amount of text being filtered
+# is only a few words, rather than a whole page.
+# This option must be uncommented if searchengineregexplist is uncommented.
+# A value of 0 here indicates that search terms should be extracted,
+# for logging/reporting purposes, but no filtering should be performed
+# on the resulting text.
+searchtermlimit = {$dansguardian_groups['searchtermlimit']}
+#
+# Search term lists
+# If the three lines below are uncommented, search term blocking will use
+# the banned, weighted & exception phrases from these lists, instead of using
+# the same phrase lists as for page content.  This is optional but recommended,
+# as weights for individual phrases in the "normal" lists may not be
+# appropriate for blocking when those phrases appear in a much smaller block
+# of text.
+# Please note that all or none of the below should be uncommented, not a
+# mixture.
+bannedsearchtermlist = '/usr/local/etc/dansguardian/lists/bannedsearchtermlist.{$dansguardian_groups['searchacl']}'
+weightedsearchtermlist = '/usr/local/etc/dansguardian/lists/weightedsearchtermlist.{$dansguardian_groups['searchacl']}'
+exceptionsearchtermlist = '/usr/local/etc/dansguardian/lists/exceptionsearchtermlist.{$dansguardian_groups['searchacl']}'
+
+# Category display threshold
+# This option only applies to pages blocked by weighted phrase filtering.
+# Defines the minimum score that must be accumulated within a particular
+# category in order for it to show up on the block pages' category list.
+# All categories under which the page scores positively will be logged; those
+# that were not displayed to the user appear in brackets.
+#
+# -1 = display only the highest scoring category
+# 0 = display all categories (default)
+# > 0 = minimum score for a category to be displayed
+categorydisplaythreshold = {$dansguardian_groups['categorydisplaythreshold']}
+
+# Embedded URL weighting
+# When set to something greater than zero, this option causes URLs embedded within a
+# page's HTML (from links, image tags, etc.) to be extracted and checked against the
+# bannedsitelist and bannedurllist. Each link to a banned page causes the amount set
+# here to be added to the page's weighting.
+# The behaviour of this option with regards to multiple occurrences of a site/URL is
+# affected by the weightedphrasemode setting.
+#
+# NB: Currently, this feature uses regular expressions that require the PCRE library.
+# As such, it is only available if you compiled DansGuardian with '--enable-pcre=yes'.
+# You can check compile-time options by running 'dansguardian -v'.
+#
+# Set to 0 to disable.
+# Defaults to 0.
+# WARNING: This option is highly CPU intensive!
+embeddedurlweight = {$dansguardian_groups['embeddedurlweight']}
+
+# Enable PICS rating support
+#
+# Defaults to disabled
+# (on | off)
+enablepics = {$dansguardian_groups['enablepics']}
+
+# Temporary Denied Page Bypass
+# This provides a link on the denied page to bypass the ban for a few minutes.  To be
+# secure it uses a random hashed secret generated at daemon startup.  You define the
+# number of seconds the bypass will function for before the deny will appear again.
+# To allow the link on the denied page to appear you will need to edit the template.html
+# or dansguardian.pl file for your language.
+# 300 = enable for 5 minutes
+# 0 = disable ( defaults to 0 )
+# -1 = enable but you require a separate program/CGI to generate a valid link
+bypass = {$dansguardian_groups['bypass']}
+
+# Temporary Denied Page Bypass Secret Key
+# Rather than generating a random key you can specify one.  It must be more than 8 chars.
+# '' = generate a random one (recommended and default)
+# 'Mary had a little lamb.' = an example
+# '76b42abc1cd0fdcaf6e943dcbc93b826' = an example
+bypasskey = '{$dansguardian_groups['bypasskey']}'
+
+# Infection/Scan Error Bypass
+# Similar to the 'bypass' setting, but specifically for bypassing files scanned and found
+# to be infected, or files that trigger scanner errors - for example, archive types with
+# recognised but unsupported compression schemes, or corrupt archives.
+# The option specifies the number of seconds for which the bypass link will be valid.
+# 300 = enable for 5 minutes
+# 0 = disable (default)
+# -1 = enable, but require a separate program/CGI to generate a valid link
+infectionbypass = {$dansguardian_groups['infectionbypass']}
+
+# Infection/Scan Error Bypass Secret Key
+# Same as the 'bypasskey' option, but used for infection bypass mode.
+infectionbypasskey = '{$dansguardian_groups['infectionbypasskey']}'
+
+# Infection/Scan Error Bypass on Scan Errors Only
+# Enable this option to allow infectionbypass links only when virus scanning fails,
+# not when a file is found to contain a virus.
+# on = enable (default and highly recommended)
+# off = disable
+infectionbypasserrorsonly = {$dansguardian_groups['infectionbypasserrorsonly']}
+
+# Disable content scanning
+# If you enable this option you will disable content scanning for this group.
+# Content scanning primarily is AV scanning (if enabled) but could include
+# other types.
+# (on|off) default = off.
+disablecontentscan = {$dansguardian_groups['disablecontentscan']}
+
+# Enable Deep URL Analysis
+# When enabled, DG looks for URLs within URLs, checking against the bannedsitelist and
+# bannedurllist. This can be used, for example, to block images originating from banned
+# sites from appearing in Google Images search results, as the original URLs are
+# embedded in the thumbnail GET requests.
+# (on|off) default = off
+deepurlanalysis = {$dansguardian_groups['deepurlanalysis']}
+
+# reportinglevel
+#
+# -1 = log, but do not block - Stealth mode
+#  0 = just say 'Access Denied'
+#  1 = report why but not what denied phrase
+#  2 = report fully
+#  3 = use HTML template file (accessdeniedaddress ignored) - recommended
+#
+# If defined, this overrides the global setting in dansguardian.conf for
+# members of this filter group.
+#
+#reportinglevel = {$dansguardian_groups['reportinglevel']}
+
+# accessdeniedaddress is the address of your web server to which the cgi
+# dansguardian reporting script was copied. Only used in reporting levels
+# 1 and 2.
+#
+# This webserver must be either:
+#  1. Non-proxied. Either a machine on the local network, or listed as an
+#     exception in your browser's proxy configuration.
+#  2. Added to the exceptionsitelist. Option 1 is preferable; this option is
+#     only for users using both transparent proxying and a non-local server
+#     to host this script.
+#
+# If defined, this overrides the global setting in dansguardian.conf for
+# members of this filter group.
+#
+#accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'
+
+# HTML Template override
+# If defined, this specifies a custom HTML template file for members of this
+# filter group, overriding the global setting in dansguardian.conf. This is
+# only used in reporting level 3.
+#
+# The default template file path is <languagedir>/<language>/template.html
+# e.g. /usr/local/share/dansguardian/languages/ukenglish/template.html when using 'ukenglish'
+# language.
+#
+# This option generates a file path of the form:
+# <languagedir>/<language>/<htmltemplate>
+# e.g. /usr/local/share/dansguardian/languages/ukenglish/custom.html
+#
+#htmltemplate = 'custom.html'
+
+# Email reporting - original patch by J. Gauthier
+
+# Use SMTP
+# If on, will enable system wide events to be reported by email.
+# need to configure mail program (see 'mailer' in global config)
+# and email recipients
+# default usesmtp = off
+#!! Not compiled !!usesmtp = off
+
+# mailfrom
+# who the email would come from
+# example: mailfrom = 'dansguardian@mycompany.com'
+#!! Not compiled !!mailfrom = ''
+
+# avadmin
+# who the virus emails go to (if notify av is on)
+# example: avadmin = 'admin@mycompany.com'
+#!! Not compiled !!avadmin = ''
+
+# contentdmin
+# who the content emails go to (when thresholds are exceeded)
+# and contentnotify is on
+# example: contentadmin = 'admin@mycompany.com'
+#!! Not compiled !!contentadmin = ''
+
+# avsubject
+# Subject of the email sent when a virus is caught.
+# only applicable if notifyav is on
+# default avsubject = 'dansguardian virus block'
+#!! Not compiled !!avsubject = 'dansguardian virus block'
+
+# content
+# Subject of the email sent when violation thresholds are exceeded
+# default contentsubject = 'dansguardian violation'
+#!! Not compiled !!contentsubject = 'dansguardian violation'
+
+# notifyAV
+# This will send a notification, if usesmtp/notifyav is on, any time an
+# infection is found.
+# Important: If this option is off, viruses will still be recorded like a
+# content infraction.
+#!! Not compiled !!notifyav = off
+
+# notifycontent
+# This will send a notification, if usesmtp is on, based on thresholds
+# below
+#!! Not compiled !!notifycontent = off
+
+# thresholdbyuser
+# results are only predictable with user authenticated configs
+# if enabled the violation/threshold count is kept track of by the user
+#!! Not compiled !!thresholdbyuser = off
+
+#violations
+# number of violations before notification
+# setting to 0 will never trigger a notification
+#!! Not compiled !!violations = 0
+
+#threshold
+# this is in seconds. If 'violations' occur in 'threshold' seconds, then
+# a notification is made.
+# if this is set to 0, then whenever the set number of violations are made a 
+# notifaction will be sent.
+#!! Not compiled !!threshold = 0
+
+#SSL certificate checking
+# Check that ssl certificates for servers on https connections are valid
+# and signed by a ca in the configured path
+sslcertcheck = {$dansguardian_groups['sslcertcheck']}
+
+#SSL man in the middle
+# Forge ssl certificates for all sites, decrypt the data then re encrypt it
+# using a different private key. Used to filter ssl sites
+sslmitm = {$dansguardian_groups['sslmitm']}
+
+EOF;
+
+?>
\ No newline at end of file