diff options
author | marcelloc <marcellocoutinho@gmail.com> | 2012-01-27 14:24:51 -0200 |
---|---|---|
committer | marcelloc <marcellocoutinho@gmail.com> | 2012-01-27 14:24:51 -0200 |
commit | cf08e91af27301092ea4ef4bd96762fcd82db58c (patch) | |
tree | c93f620a3779c6d9f47800e6a8e606de9ca05730 /config/dansguardian/dansguardianfx.conf.template | |
parent | df225741292cdf7067938de8bc2f018fc14f76a1 (diff) | |
download | pfsense-packages-cf08e91af27301092ea4ef4bd96762fcd82db58c.tar.gz pfsense-packages-cf08e91af27301092ea4ef4bd96762fcd82db58c.tar.bz2 pfsense-packages-cf08e91af27301092ea4ef4bd96762fcd82db58c.zip |
Dansguardian - First release
Diffstat (limited to 'config/dansguardian/dansguardianfx.conf.template')
-rw-r--r-- | config/dansguardian/dansguardianfx.conf.template | 382 |
1 files changed, 382 insertions, 0 deletions
diff --git a/config/dansguardian/dansguardianfx.conf.template b/config/dansguardian/dansguardianfx.conf.template new file mode 100644 index 00000000..cb811e21 --- /dev/null +++ b/config/dansguardian/dansguardianfx.conf.template @@ -0,0 +1,382 @@ +<?php +/* + dansguardianfx.conf.template + part of the Dansguardian package for pfSense + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ + +$dgf= <<<EOF +# DansGuardian filter group config file for version 2.12.0.0 + + +# Filter group mode +# This option determines whether members of this group have their web access +# unfiltered, filtered, or banned. This mechanism replaces the "banneduserlist" +# and "exceptionuserlist" files from previous versions. +# +# 0 = banned +# 1 = filtered +# 2 = unfiltered (exception) +# +# Only filter groups with a mode of 1 need to define phrase, URL, site, extension, +# mimetype and PICS lists; in other modes, these options are ignored to conserve +# memory. +# +# Defaults to 0 if unspecified. +# Unauthenticated users are treated as being in the first filter group. +groupmode = {$dansguardian_groups['mode']} + +# Filter group name +# Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to +# name the group in the access logs +# Defaults to empty string +groupname = '{$dansguardian_groups['name']}' + +# Content filtering files location +bannedphraselist = '/usr/local/etc/dansguardian/lists/weightedphraselist.{$dansguardian_groups['phraseacl']}' +weightedphraselist = '/usr/local/etc/dansguardian/lists/weightedphraselist.{$dansguardian_groups['phraseacl']}' +exceptionphraselist = '/usr/local/etc/dansguardian/lists/exceptionphraselist.{$dansguardian_groups['phraseacl']}' +bannedsitelist = '/usr/local/etc/dansguardian/lists/bannedsitelist.{$dansguardian_groups['siteacl']}' +greysitelist = '/usr/local/etc/dansguardian/lists/greysitelist.{$dansguardian_groups['siteacl']}' +exceptionsitelist = '/usr/local/etc/dansguardian/lists/exceptionsitelist.{$dansguardian_groups['siteacl']}' +bannedurllist = '/usr/local/etc/dansguardian/lists/bannedurllist.{$dansguardian_groups['urlacl']}' +greyurllist = '/usr/local/etc/dansguardian/lists/greyurllist.{$dansguardian_groups['urlacl']}' +exceptionurllist = '/usr/local/etc/dansguardian/lists/exceptionurllist.{$dansguardian_groups['urlacl']}' +exceptionregexpurllist = '/usr/local/etc/dansguardian/lists/exceptionregexpurllist.{$dansguardian_groups['urlacl']}' +bannedregexpurllist = '/usr/local/etc/dansguardian/lists/bannedregexpurllist.{$dansguardian_groups['urlacl']}' +picsfile = '/usr/local/etc/dansguardian/lists/{$dansguardian_groups['picsacl']}' +contentregexplist = '/usr/local/etc/dansguardian/lists/contentregexplist.{$dansguardian_groups['contentacl']}' +urlregexplist = '/usr/local/etc/dansguardian/lists/urlregexplist.{$dansguardian_groups['urlacl']}' + +# Filetype filtering +# +# Blanket download blocking +# If enabled, all files will be blocked, unless they match the +# exceptionextensionlist or exceptionmimetypelist. +# These lists do not override virus scanning. +# Exception lists defined above override all types of filtering, including +# the blanket download block. +# Defaults to disabled. +# (on | off) +# +blockdownloads = {$dansguardian_groups['blockdownloads']} +exceptionextensionlist = '/usr/local/etc/dansguardian/lists/exceptionextensionlist.{$dansguardian_groups['extensionacl']}' +exceptionmimetypelist = '/usr/local/etc/dansguardian/lists/exceptionmimetypelist.{$dansguardian_groups['extensionacl']}' +# +# Use the following lists to block specific kinds of file downloads. +# The two exception lists above can be used to override these. +# +bannedextensionlist = '/usr/local/etc/dansguardian/lists/bannedextensionlist.{$dansguardian_groups['extensionacl']}' +bannedmimetypelist = '/usr/local/etc/dansguardian/lists/bannedmimetypelist.{$dansguardian_groups['extensionacl']}' +# +# In either file filtering mode, the following list can be used to override +# MIME type & extension blocks for particular domains & URLs (trusted download sites). +# +exceptionfilesitelist = '/usr/local/etc/dansguardian/lists/exceptionfilesitelist.{$dansguardian_groups['siteacl']}' +exceptionfileurllist = '/usr/local/etc/dansguardian/lists/exceptionfileurllist.{$dansguardian_groups['urlacl']}' + +# Categorise without blocking: +# Supply categorised lists here and the category string shall be logged against +# matching requests, but matching these lists does not perform any filtering +# action. +logsitelist = '/usr/local/etc/dansguardian/lists/logsitelist.{$dansguardian_groups['siteacl']}' +logurllist = '/usr/local/etc/dansguardian/lists/logurllist.{$dansguardian_groups['urlacl']}' +logregexpurllist = '/usr/local/etc/dansguardian/lists/logregexpurllist.{$dansguardian_groups['urlacl']}' + +# Outgoing HTTP header rules: +# Optional lists for blocking based on, and modification of, outgoing HTTP +# request headers. Format for headerregexplist is one modification rule per +# line, similar to content/URL modifications. Format for +# bannedregexpheaderlist is one regular expression per line, with matching +# headers causing a request to be blocked. +# Headers are matched/replaced on a line-by-line basis, not as a contiguous +# block. +# Use for example, to remove cookies or prevent certain user-agents. +headerregexplist = '/usr/local/etc/dansguardian/lists/headerregexplist.{$dansguardian_groups['headeracl']}' +bannedregexpheaderlist = '/usr/local/etc/dansguardian/lists/bannedregexpheaderlist.{$dansguardian_groups['headeracl']}' + +# Weighted phrase mode +# Optional; overrides the weightedphrasemode option in dansguardian.conf +# for this particular group. See documentation for supported values in +# that file. +weightedphrasemode = {$dansguardian_groups['weightedphrasemode']} + +# Naughtiness limit +# This the limit over which the page will be blocked. Each weighted phrase is given +# a value either positive or negative and the values added up. Phrases to do with +# good subjects will have negative values, and bad subjects will have positive +# values. See the weightedphraselist file for examples. +# As a guide: +# 50 is for young children, 100 for old children, 160 for young adults. +naughtynesslimit = {$dansguardian_groups['naughtynesslimit']} + +# Search term blocking +# Search terms can be extracted from search URLs and filtered using the +# bannedphraselist, weightedphraselist and exceptionphraselist, with a separate +# threshold for blocking than that used for normal page content. +# To do this, the first two options below must be enabled. +# +# Search engine regular expression list +# List of regular expressions for matching search engine URLs. It is assumed +# that the search terms themselves will be contained within the first submatch +# of each expression. +searchengineregexplist = '/usr/local/etc/dansguardian/lists/searchengineregexplist.{$dansguardian_groups['searchacl']}' +# +# Search term limit +# The limit over which requests will be blocked for containing search terms +# which match the weightedphraselist. This should usually be lower than the +# 'naughtynesslimit' value above, because the amount of text being filtered +# is only a few words, rather than a whole page. +# This option must be uncommented if searchengineregexplist is uncommented. +# A value of 0 here indicates that search terms should be extracted, +# for logging/reporting purposes, but no filtering should be performed +# on the resulting text. +searchtermlimit = {$dansguardian_groups['searchtermlimit']} +# +# Search term lists +# If the three lines below are uncommented, search term blocking will use +# the banned, weighted & exception phrases from these lists, instead of using +# the same phrase lists as for page content. This is optional but recommended, +# as weights for individual phrases in the "normal" lists may not be +# appropriate for blocking when those phrases appear in a much smaller block +# of text. +# Please note that all or none of the below should be uncommented, not a +# mixture. +bannedsearchtermlist = '/usr/local/etc/dansguardian/lists/bannedsearchtermlist.{$dansguardian_groups['searchacl']}' +weightedsearchtermlist = '/usr/local/etc/dansguardian/lists/weightedsearchtermlist.{$dansguardian_groups['searchacl']}' +exceptionsearchtermlist = '/usr/local/etc/dansguardian/lists/exceptionsearchtermlist.{$dansguardian_groups['searchacl']}' + +# Category display threshold +# This option only applies to pages blocked by weighted phrase filtering. +# Defines the minimum score that must be accumulated within a particular +# category in order for it to show up on the block pages' category list. +# All categories under which the page scores positively will be logged; those +# that were not displayed to the user appear in brackets. +# +# -1 = display only the highest scoring category +# 0 = display all categories (default) +# > 0 = minimum score for a category to be displayed +categorydisplaythreshold = {$dansguardian_groups['categorydisplaythreshold']} + +# Embedded URL weighting +# When set to something greater than zero, this option causes URLs embedded within a +# page's HTML (from links, image tags, etc.) to be extracted and checked against the +# bannedsitelist and bannedurllist. Each link to a banned page causes the amount set +# here to be added to the page's weighting. +# The behaviour of this option with regards to multiple occurrences of a site/URL is +# affected by the weightedphrasemode setting. +# +# NB: Currently, this feature uses regular expressions that require the PCRE library. +# As such, it is only available if you compiled DansGuardian with '--enable-pcre=yes'. +# You can check compile-time options by running 'dansguardian -v'. +# +# Set to 0 to disable. +# Defaults to 0. +# WARNING: This option is highly CPU intensive! +embeddedurlweight = {$dansguardian_groups['embeddedurlweight']} + +# Enable PICS rating support +# +# Defaults to disabled +# (on | off) +enablepics = {$dansguardian_groups['enablepics']} + +# Temporary Denied Page Bypass +# This provides a link on the denied page to bypass the ban for a few minutes. To be +# secure it uses a random hashed secret generated at daemon startup. You define the +# number of seconds the bypass will function for before the deny will appear again. +# To allow the link on the denied page to appear you will need to edit the template.html +# or dansguardian.pl file for your language. +# 300 = enable for 5 minutes +# 0 = disable ( defaults to 0 ) +# -1 = enable but you require a separate program/CGI to generate a valid link +bypass = {$dansguardian_groups['bypass']} + +# Temporary Denied Page Bypass Secret Key +# Rather than generating a random key you can specify one. It must be more than 8 chars. +# '' = generate a random one (recommended and default) +# 'Mary had a little lamb.' = an example +# '76b42abc1cd0fdcaf6e943dcbc93b826' = an example +bypasskey = '{$dansguardian_groups['bypasskey']}' + +# Infection/Scan Error Bypass +# Similar to the 'bypass' setting, but specifically for bypassing files scanned and found +# to be infected, or files that trigger scanner errors - for example, archive types with +# recognised but unsupported compression schemes, or corrupt archives. +# The option specifies the number of seconds for which the bypass link will be valid. +# 300 = enable for 5 minutes +# 0 = disable (default) +# -1 = enable, but require a separate program/CGI to generate a valid link +infectionbypass = {$dansguardian_groups['infectionbypass']} + +# Infection/Scan Error Bypass Secret Key +# Same as the 'bypasskey' option, but used for infection bypass mode. +infectionbypasskey = '{$dansguardian_groups['infectionbypasskey']}' + +# Infection/Scan Error Bypass on Scan Errors Only +# Enable this option to allow infectionbypass links only when virus scanning fails, +# not when a file is found to contain a virus. +# on = enable (default and highly recommended) +# off = disable +infectionbypasserrorsonly = {$dansguardian_groups['infectionbypasserrorsonly']} + +# Disable content scanning +# If you enable this option you will disable content scanning for this group. +# Content scanning primarily is AV scanning (if enabled) but could include +# other types. +# (on|off) default = off. +disablecontentscan = {$dansguardian_groups['disablecontentscan']} + +# Enable Deep URL Analysis +# When enabled, DG looks for URLs within URLs, checking against the bannedsitelist and +# bannedurllist. This can be used, for example, to block images originating from banned +# sites from appearing in Google Images search results, as the original URLs are +# embedded in the thumbnail GET requests. +# (on|off) default = off +deepurlanalysis = {$dansguardian_groups['deepurlanalysis']} + +# reportinglevel +# +# -1 = log, but do not block - Stealth mode +# 0 = just say 'Access Denied' +# 1 = report why but not what denied phrase +# 2 = report fully +# 3 = use HTML template file (accessdeniedaddress ignored) - recommended +# +# If defined, this overrides the global setting in dansguardian.conf for +# members of this filter group. +# +#reportinglevel = {$dansguardian_groups['reportinglevel']} + +# accessdeniedaddress is the address of your web server to which the cgi +# dansguardian reporting script was copied. Only used in reporting levels +# 1 and 2. +# +# This webserver must be either: +# 1. Non-proxied. Either a machine on the local network, or listed as an +# exception in your browser's proxy configuration. +# 2. Added to the exceptionsitelist. Option 1 is preferable; this option is +# only for users using both transparent proxying and a non-local server +# to host this script. +# +# If defined, this overrides the global setting in dansguardian.conf for +# members of this filter group. +# +#accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl' + +# HTML Template override +# If defined, this specifies a custom HTML template file for members of this +# filter group, overriding the global setting in dansguardian.conf. This is +# only used in reporting level 3. +# +# The default template file path is <languagedir>/<language>/template.html +# e.g. /usr/local/share/dansguardian/languages/ukenglish/template.html when using 'ukenglish' +# language. +# +# This option generates a file path of the form: +# <languagedir>/<language>/<htmltemplate> +# e.g. /usr/local/share/dansguardian/languages/ukenglish/custom.html +# +#htmltemplate = 'custom.html' + +# Email reporting - original patch by J. Gauthier + +# Use SMTP +# If on, will enable system wide events to be reported by email. +# need to configure mail program (see 'mailer' in global config) +# and email recipients +# default usesmtp = off +#!! Not compiled !!usesmtp = off + +# mailfrom +# who the email would come from +# example: mailfrom = 'dansguardian@mycompany.com' +#!! Not compiled !!mailfrom = '' + +# avadmin +# who the virus emails go to (if notify av is on) +# example: avadmin = 'admin@mycompany.com' +#!! Not compiled !!avadmin = '' + +# contentdmin +# who the content emails go to (when thresholds are exceeded) +# and contentnotify is on +# example: contentadmin = 'admin@mycompany.com' +#!! Not compiled !!contentadmin = '' + +# avsubject +# Subject of the email sent when a virus is caught. +# only applicable if notifyav is on +# default avsubject = 'dansguardian virus block' +#!! Not compiled !!avsubject = 'dansguardian virus block' + +# content +# Subject of the email sent when violation thresholds are exceeded +# default contentsubject = 'dansguardian violation' +#!! Not compiled !!contentsubject = 'dansguardian violation' + +# notifyAV +# This will send a notification, if usesmtp/notifyav is on, any time an +# infection is found. +# Important: If this option is off, viruses will still be recorded like a +# content infraction. +#!! Not compiled !!notifyav = off + +# notifycontent +# This will send a notification, if usesmtp is on, based on thresholds +# below +#!! Not compiled !!notifycontent = off + +# thresholdbyuser +# results are only predictable with user authenticated configs +# if enabled the violation/threshold count is kept track of by the user +#!! Not compiled !!thresholdbyuser = off + +#violations +# number of violations before notification +# setting to 0 will never trigger a notification +#!! Not compiled !!violations = 0 + +#threshold +# this is in seconds. If 'violations' occur in 'threshold' seconds, then +# a notification is made. +# if this is set to 0, then whenever the set number of violations are made a +# notifaction will be sent. +#!! Not compiled !!threshold = 0 + +#SSL certificate checking +# Check that ssl certificates for servers on https connections are valid +# and signed by a ca in the configured path +sslcertcheck = {$dansguardian_groups['sslcertcheck']} + +#SSL man in the middle +# Forge ssl certificates for all sites, decrypt the data then re encrypt it +# using a different private key. Used to filter ssl sites +sslmitm = {$dansguardian_groups['sslmitm']} + +EOF; + +?>
\ No newline at end of file |