<?php /* dansguardianfx.conf.template part of the Dansguardian package for pfSense Copyright (C) 2012 Marcello Coutinho All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ $dgf= <<<EOF # DansGuardian filter group config file for version 2.12.0.0 # Filter group mode # This option determines whether members of this group have their web access # unfiltered, filtered, or banned. This mechanism replaces the "banneduserlist" # and "exceptionuserlist" files from previous versions. # # 0 = banned # 1 = filtered # 2 = unfiltered (exception) # # Only filter groups with a mode of 1 need to define phrase, URL, site, extension, # mimetype and PICS lists; in other modes, these options are ignored to conserve # memory. # # Defaults to 0 if unspecified. # Unauthenticated users are treated as being in the first filter group. groupmode = {$dansguardian_groups['mode']} # Filter group name # Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to # name the group in the access logs # Defaults to empty string groupname = '{$dansguardian_groups['name']}' # Content filtering files location bannedphraselist = '/usr/local/etc/dansguardian/lists/bannedphraselist.{$dansguardian_groups['phraseacl']}' weightedphraselist = '/usr/local/etc/dansguardian/lists/weightedphraselist.{$dansguardian_groups['phraseacl']}' exceptionphraselist = '/usr/local/etc/dansguardian/lists/exceptionphraselist.{$dansguardian_groups['phraseacl']}' bannedsitelist = '/usr/local/etc/dansguardian/lists/bannedsitelist.{$dansguardian_groups['siteacl']}' greysitelist = '/usr/local/etc/dansguardian/lists/greysitelist.{$dansguardian_groups['siteacl']}' exceptionsitelist = '/usr/local/etc/dansguardian/lists/exceptionsitelist.{$dansguardian_groups['siteacl']}' bannedurllist = '/usr/local/etc/dansguardian/lists/bannedurllist.{$dansguardian_groups['urlacl']}' greyurllist = '/usr/local/etc/dansguardian/lists/greyurllist.{$dansguardian_groups['urlacl']}' exceptionurllist = '/usr/local/etc/dansguardian/lists/exceptionurllist.{$dansguardian_groups['urlacl']}' exceptionregexpurllist = '/usr/local/etc/dansguardian/lists/exceptionregexpurllist.{$dansguardian_groups['urlacl']}' bannedregexpurllist = '/usr/local/etc/dansguardian/lists/bannedregexpurllist.{$dansguardian_groups['urlacl']}' picsfile = '/usr/local/etc/dansguardian/lists/{$dansguardian_groups['picsacl']}' contentregexplist = '/usr/local/etc/dansguardian/lists/contentregexplist.{$dansguardian_groups['contentacl']}' urlregexplist = '/usr/local/etc/dansguardian/lists/urlregexplist.{$dansguardian_groups['urlacl']}' # Filetype filtering # # Blanket download blocking # If enabled, all files will be blocked, unless they match the # exceptionextensionlist or exceptionmimetypelist. # These lists do not override virus scanning. # Exception lists defined above override all types of filtering, including # the blanket download block. # Defaults to disabled. # (on | off) # blockdownloads = {$dansguardian_groups['blockdownloads']} exceptionextensionlist = '/usr/local/etc/dansguardian/lists/exceptionextensionlist.{$dansguardian_groups['extensionacl']}' exceptionmimetypelist = '/usr/local/etc/dansguardian/lists/exceptionmimetypelist.{$dansguardian_groups['extensionacl']}' # # Use the following lists to block specific kinds of file downloads. # The two exception lists above can be used to override these. # bannedextensionlist = '/usr/local/etc/dansguardian/lists/bannedextensionlist.{$dansguardian_groups['extensionacl']}' bannedmimetypelist = '/usr/local/etc/dansguardian/lists/bannedmimetypelist.{$dansguardian_groups['extensionacl']}' # # In either file filtering mode, the following list can be used to override # MIME type & extension blocks for particular domains & URLs (trusted download sites). # exceptionfilesitelist = '/usr/local/etc/dansguardian/lists/exceptionfilesitelist.{$dansguardian_groups['siteacl']}' exceptionfileurllist = '/usr/local/etc/dansguardian/lists/exceptionfileurllist.{$dansguardian_groups['urlacl']}' # Categorise without blocking: # Supply categorised lists here and the category string shall be logged against # matching requests, but matching these lists does not perform any filtering # action. logsitelist = '/usr/local/etc/dansguardian/lists/logsitelist.{$dansguardian_groups['siteacl']}' logurllist = '/usr/local/etc/dansguardian/lists/logurllist.{$dansguardian_groups['urlacl']}' logregexpurllist = '/usr/local/etc/dansguardian/lists/logregexpurllist.{$dansguardian_groups['urlacl']}' # Outgoing HTTP header rules: # Optional lists for blocking based on, and modification of, outgoing HTTP # request headers. Format for headerregexplist is one modification rule per # line, similar to content/URL modifications. Format for # bannedregexpheaderlist is one regular expression per line, with matching # headers causing a request to be blocked. # Headers are matched/replaced on a line-by-line basis, not as a contiguous # block. # Use for example, to remove cookies or prevent certain user-agents. headerregexplist = '/usr/local/etc/dansguardian/lists/headerregexplist.{$dansguardian_groups['headeracl']}' bannedregexpheaderlist = '/usr/local/etc/dansguardian/lists/bannedregexpheaderlist.{$dansguardian_groups['headeracl']}' # Weighted phrase mode # Optional; overrides the weightedphrasemode option in dansguardian.conf # for this particular group. See documentation for supported values in # that file. weightedphrasemode = {$dansguardian_groups['weightedphrasemode']} # Naughtiness limit # This the limit over which the page will be blocked. Each weighted phrase is given # a value either positive or negative and the values added up. Phrases to do with # good subjects will have negative values, and bad subjects will have positive # values. See the weightedphraselist file for examples. # As a guide: # 50 is for young children, 100 for old children, 160 for young adults. naughtynesslimit = {$dansguardian_groups['naughtynesslimit']} # Search term blocking # Search terms can be extracted from search URLs and filtered using the # bannedphraselist, weightedphraselist and exceptionphraselist, with a separate # threshold for blocking than that used for normal page content. # To do this, the first two options below must be enabled. # # Search engine regular expression list # List of regular expressions for matching search engine URLs. It is assumed # that the search terms themselves will be contained within the first submatch # of each expression. searchengineregexplist = '/usr/local/etc/dansguardian/lists/searchengineregexplist.{$dansguardian_groups['searchacl']}' # # Search term limit # The limit over which requests will be blocked for containing search terms # which match the weightedphraselist. This should usually be lower than the # 'naughtynesslimit' value above, because the amount of text being filtered # is only a few words, rather than a whole page. # This option must be uncommented if searchengineregexplist is uncommented. # A value of 0 here indicates that search terms should be extracted, # for logging/reporting purposes, but no filtering should be performed # on the resulting text. searchtermlimit = {$dansguardian_groups['searchtermlimit']} # # Search term lists # If the three lines below are uncommented, search term blocking will use # the banned, weighted & exception phrases from these lists, instead of using # the same phrase lists as for page content. This is optional but recommended, # as weights for individual phrases in the "normal" lists may not be # appropriate for blocking when those phrases appear in a much smaller block # of text. # Please note that all or none of the below should be uncommented, not a # mixture. bannedsearchtermlist = '/usr/local/etc/dansguardian/lists/bannedsearchtermlist.{$dansguardian_groups['searchacl']}' weightedsearchtermlist = '/usr/local/etc/dansguardian/lists/weightedsearchtermlist.{$dansguardian_groups['searchacl']}' exceptionsearchtermlist = '/usr/local/etc/dansguardian/lists/exceptionsearchtermlist.{$dansguardian_groups['searchacl']}' # Category display threshold # This option only applies to pages blocked by weighted phrase filtering. # Defines the minimum score that must be accumulated within a particular # category in order for it to show up on the block pages' category list. # All categories under which the page scores positively will be logged; those # that were not displayed to the user appear in brackets. # # -1 = display only the highest scoring category # 0 = display all categories (default) # > 0 = minimum score for a category to be displayed categorydisplaythreshold = {$dansguardian_groups['categorydisplaythreshold']} # Embedded URL weighting # When set to something greater than zero, this option causes URLs embedded within a # page's HTML (from links, image tags, etc.) to be extracted and checked against the # bannedsitelist and bannedurllist. Each link to a banned page causes the amount set # here to be added to the page's weighting. # The behaviour of this option with regards to multiple occurrences of a site/URL is # affected by the weightedphrasemode setting. # # NB: Currently, this feature uses regular expressions that require the PCRE library. # As such, it is only available if you compiled DansGuardian with '--enable-pcre=yes'. # You can check compile-time options by running 'dansguardian -v'. # # Set to 0 to disable. # Defaults to 0. # WARNING: This option is highly CPU intensive! embeddedurlweight = {$dansguardian_groups['embeddedurlweight']} # Enable PICS rating support # # Defaults to disabled # (on | off) enablepics = {$dansguardian_groups['enablepics']} # Temporary Denied Page Bypass # This provides a link on the denied page to bypass the ban for a few minutes. To be # secure it uses a random hashed secret generated at daemon startup. You define the # number of seconds the bypass will function for before the deny will appear again. # To allow the link on the denied page to appear you will need to edit the template.html # or dansguardian.pl file for your language. # 300 = enable for 5 minutes # 0 = disable ( defaults to 0 ) # -1 = enable but you require a separate program/CGI to generate a valid link bypass = {$dansguardian_groups['bypass']} # Temporary Denied Page Bypass Secret Key # Rather than generating a random key you can specify one. It must be more than 8 chars. # '' = generate a random one (recommended and default) # 'Mary had a little lamb.' = an example # '76b42abc1cd0fdcaf6e943dcbc93b826' = an example bypasskey = '{$dansguardian_groups['bypasskey']}' # Infection/Scan Error Bypass # Similar to the 'bypass' setting, but specifically for bypassing files scanned and found # to be infected, or files that trigger scanner errors - for example, archive types with # recognised but unsupported compression schemes, or corrupt archives. # The option specifies the number of seconds for which the bypass link will be valid. # 300 = enable for 5 minutes # 0 = disable (default) # -1 = enable, but require a separate program/CGI to generate a valid link infectionbypass = {$dansguardian_groups['infectionbypass']} # Infection/Scan Error Bypass Secret Key # Same as the 'bypasskey' option, but used for infection bypass mode. infectionbypasskey = '{$dansguardian_groups['infectionbypasskey']}' # Infection/Scan Error Bypass on Scan Errors Only # Enable this option to allow infectionbypass links only when virus scanning fails, # not when a file is found to contain a virus. # on = enable (default and highly recommended) # off = disable infectionbypasserrorsonly = {$dansguardian_groups['infectionbypasserrorsonly']} # Disable content scanning # If you enable this option you will disable content scanning for this group. # Content scanning primarily is AV scanning (if enabled) but could include # other types. # (on|off) default = off. disablecontentscan = {$dansguardian_groups['disablecontentscan']} # Enable Deep URL Analysis # When enabled, DG looks for URLs within URLs, checking against the bannedsitelist and # bannedurllist. This can be used, for example, to block images originating from banned # sites from appearing in Google Images search results, as the original URLs are # embedded in the thumbnail GET requests. # (on|off) default = off deepurlanalysis = {$dansguardian_groups['deepurlanalysis']} # reportinglevel # # -1 = log, but do not block - Stealth mode # 0 = just say 'Access Denied' # 1 = report why but not what denied phrase # 2 = report fully # 3 = use HTML template file (accessdeniedaddress ignored) - recommended # # If defined, this overrides the global setting in dansguardian.conf for # members of this filter group. # reportinglevel = 3 {$groupreportinglevel} # accessdeniedaddress is the address of your web server to which the cgi # dansguardian reporting script was copied. Only used in reporting levels # 1 and 2. # # This webserver must be either: # 1. Non-proxied. Either a machine on the local network, or listed as an # exception in your browser's proxy configuration. # 2. Added to the exceptionsitelist. Option 1 is preferable; this option is # only for users using both transparent proxying and a non-local server # to host this script. # # If defined, this overrides the global setting in dansguardian.conf for # members of this filter group. # accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl' {$groupaccessdeniedaddress} # HTML Template override # If defined, this specifies a custom HTML template file for members of this # filter group, overriding the global setting in dansguardian.conf. This is # only used in reporting level 3. # # The default template file path is <languagedir>/<language>/template.html # e.g. /usr/local/share/dansguardian/languages/ukenglish/template.html when using 'ukenglish' # language. # # This option generates a file path of the form: # <languagedir>/<language>/<htmltemplate> # e.g. /usr/local/share/dansguardian/languages/ukenglish/custom.html # #htmltemplate = 'custom.html' # Email reporting - original patch by J. Gauthier # Use SMTP # If on, will enable system wide events to be reported by email. # need to configure mail program (see 'mailer' in global config) # and email recipients # default usesmtp = off #!! Not compiled !!usesmtp = off # mailfrom # who the email would come from # example: mailfrom = 'dansguardian@mycompany.com' #!! Not compiled !!mailfrom = '' # avadmin # who the virus emails go to (if notify av is on) # example: avadmin = 'admin@mycompany.com' #!! Not compiled !!avadmin = '' # contentdmin # who the content emails go to (when thresholds are exceeded) # and contentnotify is on # example: contentadmin = 'admin@mycompany.com' #!! Not compiled !!contentadmin = '' # avsubject # Subject of the email sent when a virus is caught. # only applicable if notifyav is on # default avsubject = 'dansguardian virus block' #!! Not compiled !!avsubject = 'dansguardian virus block' # content # Subject of the email sent when violation thresholds are exceeded # default contentsubject = 'dansguardian violation' #!! Not compiled !!contentsubject = 'dansguardian violation' # notifyAV # This will send a notification, if usesmtp/notifyav is on, any time an # infection is found. # Important: If this option is off, viruses will still be recorded like a # content infraction. #!! Not compiled !!notifyav = off # notifycontent # This will send a notification, if usesmtp is on, based on thresholds # below #!! Not compiled !!notifycontent = off # thresholdbyuser # results are only predictable with user authenticated configs # if enabled the violation/threshold count is kept track of by the user #!! Not compiled !!thresholdbyuser = off #violations # number of violations before notification # setting to 0 will never trigger a notification #!! Not compiled !!violations = 0 #threshold # this is in seconds. If 'violations' occur in 'threshold' seconds, then # a notification is made. # if this is set to 0, then whenever the set number of violations are made a # notifaction will be sent. #!! Not compiled !!threshold = 0 #SSL certificate checking # Check that ssl certificates for servers on https connections are valid # and signed by a ca in the configured path sslcertcheck = {$dansguardian_groups['sslcertcheck']} #SSL man in the middle # Forge ssl certificates for all sites, decrypt the data then re encrypt it # using a different private key. Used to filter ssl sites sslmitm = {$dansguardian_groups['sslmitm']} #mitmkey = '{$dansguardian_groups['mitmkey']}' EOF; ?>