Difference between revisions of "PeerGuardian Linux"

From ArchWiki
Jump to: navigation, search
(update templates, see Help:Style)
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[[Category:Networking (English)]]
+
[[Category:Networking]]
[[Category:Security (English)]]
+
[[Category:Security]]
 
+
 
''PeerGuardian Linux'' (pgl) is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge block lists (thousands or millions of IP ranges). ''pgl'' is based on the Linux kernel netfilter framework and [[iptables]].
 
''PeerGuardian Linux'' (pgl) is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge block lists (thousands or millions of IP ranges). ''pgl'' is based on the Linux kernel netfilter framework and [[iptables]].
  
Line 7: Line 6:
 
and/or inappropriate lists may seriously degrade your internet service.}}
 
and/or inappropriate lists may seriously degrade your internet service.}}
  
= Installation =
+
== Installation ==
 
There are two [[AUR]] packages to choose from: [https://aur.archlinux.org/packages.php?ID=51838 pgl-cli] includes only the daemon and CLI tools, while [https://aur.archlinux.org/packages.php?ID=51839 pgl] comes complete with a GUI (written using Qt).
 
There are two [[AUR]] packages to choose from: [https://aur.archlinux.org/packages.php?ID=51838 pgl-cli] includes only the daemon and CLI tools, while [https://aur.archlinux.org/packages.php?ID=51839 pgl] comes complete with a GUI (written using Qt).
  
= Configuration =
+
== Configuration ==
 
All the configuration files are located in {{ic|/etc/pgl/}}:
 
All the configuration files are located in {{ic|/etc/pgl/}}:
 
* {{ic|blocklists.list}} contains a list of URL for retrieving the various block lists,
 
* {{ic|blocklists.list}} contains a list of URL for retrieving the various block lists,
 
* {{ic|pglcmd.conf}}, empty by default, overrides the default settings present in {{ic|/usr/lib/pgl/pglcmd.defaults}},
 
* {{ic|pglcmd.conf}}, empty by default, overrides the default settings present in {{ic|/usr/lib/pgl/pglcmd.defaults}},
* {{ic|allow.p2p}} lists custom IP ranges that won't be filtered.
+
* {{ic|allow.p2p}} lists custom IP ranges that will not be filtered.
  
The most important aspect that you'll want to change as soon as possible are the preconfigured block lists. The default lists in {{ic|/etc/pgl/blocklists.list}} block many potentially legitimate IP address, so use your best judgment and the information available at [http://www.iblocklist.com/ I-Blocklist] to make your choice.
+
The most important aspect that you will want to change as soon as possible are the preconfigured block lists. The default lists in {{ic|/etc/pgl/blocklists.list}} block many potentially legitimate IP address, so use your best judgment and the information available at [http://www.iblocklist.com/ I-Blocklist] to make your choice.
  
 
If you install ''pgl'' on a workstation, it is recommended to disable the filtering of HTTP connections. Simply add the following to {{ic|/etc/pgl/pglcmd.conf}}:
 
If you install ''pgl'' on a workstation, it is recommended to disable the filtering of HTTP connections. Simply add the following to {{ic|/etc/pgl/pglcmd.conf}}:
Line 22: Line 21:
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_TCP_OUT="http https"</nowiki>}}
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_TCP_OUT="http https"</nowiki>}}
  
Also, depending on the lists you use, some program might not be able to reach the outside world. For instance, if you use MSN for instant messaging, you'll need to add port 1863 to the white list:
+
Also, depending on the lists you use, some program might not be able to reach the outside world. For instance, if you use MSN for instant messaging, you will need to add port 1863 to the white list:
  
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_TCP_OUT="http https msnp"</nowiki>}}
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_TCP_OUT="http https msnp"</nowiki>}}
Line 31: Line 30:
 
WHITE_UDP_IN="0:52 54:65535"</nowiki>}}
 
WHITE_UDP_IN="0:52 54:65535"</nowiki>}}
  
== LAN ==
+
=== LAN ===
  
By default, ''pgl'' doesn't block traffic on your local IPv4 addresses. Unfortunately, this behavior relies on a program called [https://www.archlinux.org/packages/core/x86_64/net-tools/ ifconfig] which is deprecated in Arch Linux. While a new method is being worked on you can use the WHITE_IP_* settings to restore this function, although without the automation.
+
By default, ''pgl'' does not block traffic on your local IPv4 addresses. Unfortunately, this behavior relies on a program called [https://www.archlinux.org/packages/core/x86_64/net-tools/ ifconfig] which is deprecated in Arch Linux. While a new method is being worked on you can use the WHITE_IP_* settings to restore this function, although without the automation.
  
Let's say that ''pgl'' is installed on your workstation (192.168.0.5) and you want to reach some services on another computer (192.168.0.1) on your LAN. Simply add the following to {{ic|/etc/pgl/pglcmd.conf}}:
+
Let us say that ''pgl'' is installed on your workstation (192.168.0.5) and you want to reach some services on another computer (192.168.0.1) on your LAN. Simply add the following to {{ic|/etc/pgl/pglcmd.conf}}:
  
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_IP_OUT="192.168.0.0/24"</nowiki>}}
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_IP_OUT="192.168.0.0/24"</nowiki>}}
Line 45: Line 44:
 
For further information, please refer to the # Whitelist IPs # section of {{ic|/usr/lib/pgl/pglcmd.defaults}}.
 
For further information, please refer to the # Whitelist IPs # section of {{ic|/usr/lib/pgl/pglcmd.defaults}}.
  
= Starting up =
+
== Starting up ==
  
Once you are comfortable with the configuration of both the daemon and the lists, be sure that dbus is running and type in:
+
Once you are comfortable with the configuration of both the daemon and lists, type in:
  
 
{{bc|# rc.d start pgl}}
 
{{bc|# rc.d start pgl}}

Revision as of 15:39, 13 June 2012

PeerGuardian Linux (pgl) is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge block lists (thousands or millions of IP ranges). pgl is based on the Linux kernel netfilter framework and iptables.

Warning: pgl may block your complete network/internet access! Using too many and/or inappropriate lists may seriously degrade your internet service.

Installation

There are two AUR packages to choose from: pgl-cli includes only the daemon and CLI tools, while pgl comes complete with a GUI (written using Qt).

Configuration

All the configuration files are located in /etc/pgl/:

  • blocklists.list contains a list of URL for retrieving the various block lists,
  • pglcmd.conf, empty by default, overrides the default settings present in /usr/lib/pgl/pglcmd.defaults,
  • allow.p2p lists custom IP ranges that will not be filtered.

The most important aspect that you will want to change as soon as possible are the preconfigured block lists. The default lists in /etc/pgl/blocklists.list block many potentially legitimate IP address, so use your best judgment and the information available at I-Blocklist to make your choice.

If you install pgl on a workstation, it is recommended to disable the filtering of HTTP connections. Simply add the following to /etc/pgl/pglcmd.conf:

/etc/pgl/pglcmd.conf
WHITE_TCP_OUT="http https"

Also, depending on the lists you use, some program might not be able to reach the outside world. For instance, if you use MSN for instant messaging, you will need to add port 1863 to the white list:

/etc/pgl/pglcmd.conf
WHITE_TCP_OUT="http https msnp"

Conversely, you could white list all the ports except the ones used by the program you are trying to restrain. The following example only use the block lists to stop incoming traffic on ports 53 (DNS) and 80 (HTTP):

/etc/pgl/pglcmd.conf
WHITE_TCP_IN="0:79 81:65535"
WHITE_UDP_IN="0:52 54:65535"

LAN

By default, pgl does not block traffic on your local IPv4 addresses. Unfortunately, this behavior relies on a program called ifconfig which is deprecated in Arch Linux. While a new method is being worked on you can use the WHITE_IP_* settings to restore this function, although without the automation.

Let us say that pgl is installed on your workstation (192.168.0.5) and you want to reach some services on another computer (192.168.0.1) on your LAN. Simply add the following to /etc/pgl/pglcmd.conf:

/etc/pgl/pglcmd.conf
WHITE_IP_OUT="192.168.0.0/24"

If your workstation also hosts services that you would make available to your LAN, add:

/etc/pgl/pglcmd.conf
WHITE_IP_IN="192.168.0.0/24"

For further information, please refer to the # Whitelist IPs # section of /usr/lib/pgl/pglcmd.defaults.

Starting up

Once you are comfortable with the configuration of both the daemon and lists, type in:

# rc.d start pgl

To make sure that pgl works as intended, issue this command:

# pglcmd test

Should you want pgl to run automatically, just add "pgl" to your /etc/rc.conf/ DAEMONS array.