Difference between revisions of "PeerGuardian Linux"

From ArchWiki
Jump to: navigation, search
(updated to systemd use with a new firewall section)
(Information on how to ensure pgl protects specific daemons.)
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
[[Category:Networking]]
 
[[Category:Networking]]
 
[[Category:Security]]
 
[[Category:Security]]
''PeerGuardian Linux'' (pgl) is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge block lists (thousands or millions of IP ranges). ''pgl'' is based on the Linux kernel netfilter framework and [[iptables]].
+
{{Article summary start}}
 
+
{{Article summary text|
{{Warning|''pgl'' may block your complete network/internet access! Using too many
+
''PeerGuardian Linux'' (pgl) is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge block lists (thousands or millions of IP ranges). ''pgl'' is based on the Linux kernel netfilter framework and [[iptables]].}}
and/or inappropriate lists may seriously degrade your internet service.}}
+
{{Article summary end}}
  
 
== Installation ==
 
== Installation ==
Line 10: Line 10:
  
 
== Configuration ==
 
== Configuration ==
All the configuration files are located in {{ic|/etc/pgl/}}:
+
* {{ic|/etc/pgl/blocklists.list}} contains a list of URL for retrieving the various block lists.
* {{ic|blocklists.list}} contains a list of URL for retrieving the various block lists,
+
* {{ic|/etc/pgl/pglcmd.conf}}, empty by default, overrides the default settings present in {{ic|/usr/lib/pgl/pglcmd.defaults}}.
* {{ic|pglcmd.conf}}, empty by default, overrides the default settings present in {{ic|/usr/lib/pgl/pglcmd.defaults}},
+
* {{ic|/etc/pgl/allow.p2p}} lists custom IP ranges that will not be filtered.
* {{ic|allow.p2p}} lists custom IP ranges that will not be filtered.
+
  
The most important aspect that you will want to change as soon as possible are the preconfigured block lists. The default lists in {{ic|/etc/pgl/blocklists.list}} block many potentially legitimate IP address, so use your best judgment and the information available at [http://www.iblocklist.com/ I-Blocklist] to make your choice.
+
The default lists in {{ic|/etc/pgl/blocklists.list}} block many potentially legitimate IP address.  Users are encouraged to exercise best judgment and the information available at [http://www.iblocklist.com/ I-Blocklist].
  
If you install ''pgl'' on a workstation, it is recommended to disable the filtering of HTTP connections by adding the following to {{ic|/etc/pgl/pglcmd.conf}}:
+
It is recommended to disable the filtering of HTTP connections by adding the following to {{ic|/etc/pgl/pglcmd.conf}}:
  
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_TCP_OUT="http https"</nowiki>}}
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_TCP_OUT="http https"</nowiki>}}
  
Also, depending on the lists you use, some program might not be able to reach the outside world. For instance, if you use MSN for instant messaging, you will need to add port 1863 to the white list:
+
Some program might not be able to reach the outside world. For instance, users of MSN for instant messaging, will need to add port 1863 to the white list:
  
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_TCP_OUT="http https msnp"</nowiki>}}
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_TCP_OUT="http https msnp"</nowiki>}}
  
Conversely, you could white list all the ports except the ones used by the program you are trying to restrain. The following example only use the block lists to stop incoming traffic on ports 53 (DNS) and 80 (HTTP):
+
Conversely, one could white list all the ports except the ones used by the program to be blocked. The following example only use the block lists to stop incoming traffic on ports 53 (DNS) and 80 (HTTP):
  
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_TCP_IN="0:79 81:65535"
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_TCP_IN="0:79 81:65535"
Line 31: Line 30:
  
 
=== Firewall ===
 
=== Firewall ===
 
+
Create {{ic|/etc/systemd/system/pgl.service}} pasting the following to ensure that ''pgl'' only starts '''after''' all the rules have been properly set up. This example must be adapted to work with other firewalls (ufw, shorewall, etc.):
Since it is best to start ''pgl'' after your iptables based firewall, you should create an override for pgl.service by editing {{ic|/etc/systemd/system/pgl.service}} and adding your firewall service to the "After=" argument. This will ensure that ''pgl'' only starts '''after''' all the rules have been properly set up.
+
 
+
Here is an example when using the [[Uncomplicated Firewall]]:
+
  
 
{{hc|/etc/systemd/system/pgl.service|2=<nowiki>
 
{{hc|/etc/systemd/system/pgl.service|2=<nowiki>
Line 40: Line 36:
  
 
[Unit]
 
[Unit]
After=ufw.service
+
After=iptables.service</nowiki>}}
</nowiki>}}
+
  
If you have already enabled the pgl.service, type the following command to update systemd:
+
=== Server ===
 +
[[systemd]] initialization of the system means that it's quite possible for a server to be briefly unprotected, prior to ''pgl'' launch. To ensure adequate protection, create a service file named after the original server (i.e. {{ic|/etc/systemd/system/httpd.service}} and paste the following:
  
{{bc|# systemctl reenable pgl.service}}
+
{{hc|/etc/systemd/system/httpd.service|2=<nowiki>
 +
.include /usr/lib/systemd/system/httpd.service
 +
 
 +
[Unit]
 +
Wants=pgl.service
 +
After=pgl.service</nowiki>}}
  
 
=== LAN ===
 
=== LAN ===
  
By default, ''pgl'' does not block traffic on your local IPv4 addresses. To enable this behavior, you need to manually install the [https://www.archlinux.org/packages/?q=net-tools net-tools] package or use the WHITE_IP_* settings as described below.
+
By default, ''pgl'' blocks traffic on the local IPv4 addresses. To disable this behavior, edit {{ic|/etc/pgl/pglcmd.conf}} to add an exception using the WHITE_IP_* setting:
 
+
Let us say that ''pgl'' is installed on your workstation (192.168.0.5) and you want to reach some services on another computer (192.168.0.1) on your LAN. Simply add the following to {{ic|/etc/pgl/pglcmd.conf}}:
+
  
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_IP_OUT="192.168.0.0/24"</nowiki>}}
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_IP_OUT="192.168.0.0/24"</nowiki>}}
 
If your workstation also hosts services that you would make available to your LAN, add:
 
 
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_IP_IN="192.168.0.0/24"</nowiki>}}
 
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_IP_IN="192.168.0.0/24"</nowiki>}}
  
Line 63: Line 59:
 
== Starting up ==
 
== Starting up ==
  
Once you are comfortable with the configuration of both the daemon and lists, type in:
+
Once comfortable with the configuration of both the daemon and lists, type in:
  
 
{{bc|# systemctl start pgl.service}}
 
{{bc|# systemctl start pgl.service}}
Line 71: Line 67:
 
{{bc|# pglcmd test}}
 
{{bc|# pglcmd test}}
  
Should you want ''pgl'' to run automatically, use the following syntax to activate it:
+
To start ''pgl'' automatically, use the following syntax to activate it:
  
 
{{bc|# systemctl enable pgl.service}}
 
{{bc|# systemctl enable pgl.service}}

Revision as of 15:04, 23 May 2013

Template:Article summary start Template:Article summary text Template:Article summary end

Installation

There are two AUR packages to choose from: pgl-cli includes only the daemon and CLI tools, while pgl comes complete with a GUI (written using Qt).

Configuration

  • /etc/pgl/blocklists.list contains a list of URL for retrieving the various block lists.
  • /etc/pgl/pglcmd.conf, empty by default, overrides the default settings present in /usr/lib/pgl/pglcmd.defaults.
  • /etc/pgl/allow.p2p lists custom IP ranges that will not be filtered.

The default lists in /etc/pgl/blocklists.list block many potentially legitimate IP address. Users are encouraged to exercise best judgment and the information available at I-Blocklist.

It is recommended to disable the filtering of HTTP connections by adding the following to /etc/pgl/pglcmd.conf:

/etc/pgl/pglcmd.conf
WHITE_TCP_OUT="http https"

Some program might not be able to reach the outside world. For instance, users of MSN for instant messaging, will need to add port 1863 to the white list:

/etc/pgl/pglcmd.conf
WHITE_TCP_OUT="http https msnp"

Conversely, one could white list all the ports except the ones used by the program to be blocked. The following example only use the block lists to stop incoming traffic on ports 53 (DNS) and 80 (HTTP):

/etc/pgl/pglcmd.conf
WHITE_TCP_IN="0:79 81:65535"
WHITE_UDP_IN="0:52 54:65535"

Firewall

Create /etc/systemd/system/pgl.service pasting the following to ensure that pgl only starts after all the rules have been properly set up. This example must be adapted to work with other firewalls (ufw, shorewall, etc.):

/etc/systemd/system/pgl.service
.include /usr/lib/systemd/system/pgl.service

[Unit]
After=iptables.service

Server

systemd initialization of the system means that it's quite possible for a server to be briefly unprotected, prior to pgl launch. To ensure adequate protection, create a service file named after the original server (i.e. /etc/systemd/system/httpd.service and paste the following:

/etc/systemd/system/httpd.service
.include /usr/lib/systemd/system/httpd.service

[Unit]
Wants=pgl.service
After=pgl.service

LAN

By default, pgl blocks traffic on the local IPv4 addresses. To disable this behavior, edit /etc/pgl/pglcmd.conf to add an exception using the WHITE_IP_* setting:

/etc/pgl/pglcmd.conf
WHITE_IP_OUT="192.168.0.0/24"
/etc/pgl/pglcmd.conf
WHITE_IP_IN="192.168.0.0/24"

For further information, please refer to the # Whitelist IPs # section of /usr/lib/pgl/pglcmd.defaults.

Starting up

Once comfortable with the configuration of both the daemon and lists, type in:

# systemctl start pgl.service

To make sure that pgl works as intended, issue this command:

# pglcmd test

To start pgl automatically, use the following syntax to activate it:

# systemctl enable pgl.service