Difference between revisions of "PeerGuardian Linux"

From ArchWiki
Jump to: navigation, search
(Firewall: better example)
(Firewall)
Line 32: Line 32:
 
=== Firewall ===
 
=== Firewall ===
  
It is best to start ''pgl'' after an iptables based firewall.  Users should create an override for pgl.service by creating {{ic|/etc/systemd/system/pgl.service}} and adding a "Requires=" argument. This will ensure that ''pgl'' only starts '''after''' all the rules have been properly set up.
+
It is best to start ''pgl'' after an iptables based firewall.  Users should create an override for pgl.service by creating {{ic|/etc/systemd/system/my-pgl.service}} and adding a "Requires=" argument. This will ensure that ''pgl'' only starts '''after''' all the rules have been properly set up.
  
 
Here is an example when using the [[Uncomplicated Firewall]]:
 
Here is an example when using the [[Uncomplicated Firewall]]:
  
{{hc|/etc/systemd/system/pgl.service|2=<nowiki>
+
{{hc|/etc/systemd/system/my-pgl.service|2=<nowiki>
  
 
[Unit]
 
[Unit]

Revision as of 14:14, 19 January 2013

Template:Article summary start Template:Article summary text Template:Article summary end

Installation

There are two AUR packages to choose from: pgl-cli includes only the daemon and CLI tools, while pgl comes complete with a GUI (written using Qt).

Configuration

All the configuration files are located in /etc/pgl:

  • blocklists.list contains a list of URL for retrieving the various block lists,
  • pglcmd.conf, empty by default, overrides the default settings present in /usr/lib/pgl/pglcmd.defaults,
  • allow.p2p lists custom IP ranges that will not be filtered.

The default lists in /etc/pgl/blocklists.list block many potentially legitimate IP address. Users are encouraged to exercise best judgment and the information available at I-Blocklist.

It is recommended to disable the filtering of HTTP connections by adding the following to /etc/pgl/pglcmd.conf:

/etc/pgl/pglcmd.conf
WHITE_TCP_OUT="http https"

Some program might not be able to reach the outside world. For instance, users of MSN for instant messaging, will need to add port 1863 to the white list:

/etc/pgl/pglcmd.conf
WHITE_TCP_OUT="http https msnp"

Conversely, onecould white list all the ports except the ones used by the program to be blocked. The following example only use the block lists to stop incoming traffic on ports 53 (DNS) and 80 (HTTP):

/etc/pgl/pglcmd.conf
WHITE_TCP_IN="0:79 81:65535"
WHITE_UDP_IN="0:52 54:65535"

Firewall

It is best to start pgl after an iptables based firewall. Users should create an override for pgl.service by creating /etc/systemd/system/my-pgl.service and adding a "Requires=" argument. This will ensure that pgl only starts after all the rules have been properly set up.

Here is an example when using the Uncomplicated Firewall:

/etc/systemd/system/my-pgl.service

[Unit]
Description=PeerGuardian Linux - an IP Blocker
Requires=ufw.service
After=network.target ufw.service

[Service]
BusName=org.netfilter.pgl
ExecStart=/usr/bin/pglcmd start
ExecStop=/usr/bin/pglcmd stop
PIDFile=/run/pgld.pid

[Install]
WantedBy=multi-user.target

LAN

By default, pgl blocks traffic on the local IPv4 addresses. To disable this behavior, edit /etc/pgl/pglcmd.conf to add an exception using the WHITE_IP_* setting:

/etc/pgl/pglcmd.conf
WHITE_IP_OUT="192.168.0.0/24"
/etc/pgl/pglcmd.conf
WHITE_IP_IN="192.168.0.0/24"

For further information, please refer to the # Whitelist IPs # section of /usr/lib/pgl/pglcmd.defaults.

Starting up

Once comfortable with the configuration of both the daemon and lists, type in:

# systemctl start pgl.service

To make sure that pgl works as intended, issue this command:

# pglcmd test

To start pgl automatically, use the following syntax to activate it:

# systemctl enable pgl.service