Difference between revisions of "PeerGuardian Linux"

From ArchWiki
Jump to: navigation, search
m (fixed category)
m (add ja link)
 
(9 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
[[Category:Firewalls]]
 
[[Category:Firewalls]]
{{Article summary start}}
+
[[ja:PeerGuardian Linux]]
{{Article summary text|
+
[http://sourceforge.net/projects/peerguardian/ PeerGuardian Linux] (''pgl'') is a privacy oriented firewall application.  It blocks connections to and from hosts specified in huge block lists (thousands or millions of IP ranges). ''pgl'' is based on the Linux kernel [[Wikipedia:Netfilter|netfilter]] framework and [[iptables]].  
''PeerGuardian Linux'' (pgl) is a privacy oriented firewall application.  It blocks connections to and from hosts specified in huge block lists (thousands or millions of IP ranges). ''pgl'' is based on the Linux kernel netfilter framework and [[iptables]].}}
+
 
{{Article summary end}}
+
A more native, efficient solution to achieve the same end is to use the [[ipset]] kernel module in conjunction with the pg2ipset tool and the ipset-update script.
  
 
== Installation ==
 
== Installation ==
There are two [[AUR]] packages to choose from: [https://aur.archlinux.org/packages.php?ID=51838 pgl-cli] includes only the daemon and CLI tools, while [https://aur.archlinux.org/packages.php?ID=51839 pgl] comes complete with a GUI (written using Qt).
+
 
 +
There are two [[AUR]] packages to choose from: {{AUR|pgl-cli}} includes only the daemon and CLI tools, while {{AUR|pgl}} comes complete with a GUI (written using Qt).
  
 
== Configuration ==
 
== Configuration ==
 +
 
* {{ic|/etc/pgl/blocklists.list}} contains a list of URL for retrieving the various block lists.
 
* {{ic|/etc/pgl/blocklists.list}} contains a list of URL for retrieving the various block lists.
 
* {{ic|/etc/pgl/pglcmd.conf}}, empty by default, overrides the default settings present in {{ic|/usr/lib/pgl/pglcmd.defaults}}.
 
* {{ic|/etc/pgl/pglcmd.conf}}, empty by default, overrides the default settings present in {{ic|/usr/lib/pgl/pglcmd.defaults}}.
Line 17: Line 19:
 
It is recommended to disable the filtering of HTTP connections by adding the following to {{ic|/etc/pgl/pglcmd.conf}}:
 
It is recommended to disable the filtering of HTTP connections by adding the following to {{ic|/etc/pgl/pglcmd.conf}}:
  
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_TCP_OUT="http https"</nowiki>}}
+
{{hc|/etc/pgl/pglcmd.conf|2=WHITE_TCP_OUT="http https"}}
  
 
Some program might not be able to reach the outside world. For instance, users of MSN for instant messaging, will need to add port 1863 to the white list:
 
Some program might not be able to reach the outside world. For instance, users of MSN for instant messaging, will need to add port 1863 to the white list:
  
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_TCP_OUT="http https msnp"</nowiki>}}
+
{{hc|/etc/pgl/pglcmd.conf|2=WHITE_TCP_OUT="http https msnp"}}
  
 
Conversely, one could white list all the ports except the ones used by the program to be blocked. The following example only use the block lists to stop incoming traffic on ports 53 (DNS) and 80 (HTTP):
 
Conversely, one could white list all the ports except the ones used by the program to be blocked. The following example only use the block lists to stop incoming traffic on ports 53 (DNS) and 80 (HTTP):
  
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_TCP_IN="0:79 81:65535"
+
{{hc|/etc/pgl/pglcmd.conf|2=WHITE_TCP_IN="0:79 81:65535"
WHITE_UDP_IN="0:52 54:65535"</nowiki>}}
+
WHITE_UDP_IN="0:52 54:65535"}}
  
=== Firewall ===
+
=== Server ===
Create {{ic|/etc/systemd/system/pgl.service}} pasting the following to ensure that ''pgl'' only starts '''after''' all the rules have been properly set up. This example must be adapted to work with other firewalls (ufw, shorewall, etc.):
+
 
+
{{hc|/etc/systemd/system/pgl.service|2=<nowiki>
+
.include /usr/lib/systemd/system/pgl.service
+
 
+
[Unit]
+
After=iptables.service</nowiki>}}
+
  
=== Server ===
 
 
[[systemd]] initialization of the system means that it's quite possible for a server to be briefly unprotected, prior to ''pgl'' launch. To ensure adequate protection, create a service file named after the original server (i.e. {{ic|/etc/systemd/system/httpd.service}} and paste the following:
 
[[systemd]] initialization of the system means that it's quite possible for a server to be briefly unprotected, prior to ''pgl'' launch. To ensure adequate protection, create a service file named after the original server (i.e. {{ic|/etc/systemd/system/httpd.service}} and paste the following:
  
{{hc|/etc/systemd/system/httpd.service|2=<nowiki>
+
{{hc|/etc/systemd/system/httpd.service|2=
 
.include /usr/lib/systemd/system/httpd.service
 
.include /usr/lib/systemd/system/httpd.service
  
 
[Unit]
 
[Unit]
 
Wants=pgl.service
 
Wants=pgl.service
After=pgl.service</nowiki>}}
+
After=pgl.service
 +
}}
  
 
=== LAN ===
 
=== LAN ===
  
By default, ''pgl'' blocks traffic on the local IPv4 addresses. To disable this behavior, edit {{ic|/etc/pgl/pglcmd.conf}} to add an exception using the WHITE_IP_* setting:
+
By default, ''pgl'' blocks traffic on the local IPv4 addresses. To disable this behavior, edit {{ic|/etc/pgl/pglcmd.conf}} to add an exception using the ''WHITE_IP_*'' setting:
  
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_IP_OUT="192.168.0.0/24"</nowiki>}}
+
{{hc|/etc/pgl/pglcmd.conf|2=WHITE_IP_OUT="192.168.0.0/24"}}
{{hc|/etc/pgl/pglcmd.conf|2=<nowiki>WHITE_IP_IN="192.168.0.0/24"</nowiki>}}
+
{{hc|/etc/pgl/pglcmd.conf|2=WHITE_IP_IN="192.168.0.0/24"}}
  
For further information, please refer to the # Whitelist IPs # section of {{ic|/usr/lib/pgl/pglcmd.defaults}}.
+
For further information, please refer to the {{ic|# Whitelist IPs #}} section of {{ic|/usr/lib/pgl/pglcmd.defaults}}.
  
 
== Starting up ==
 
== Starting up ==
  
Once comfortable with the configuration of both the daemon and lists, type in:
+
Once comfortable with the configuration of both the daemon and lists, start the {{ic|pgl}} [[daemon|service]]. To make sure that ''pgl'' works as intended, issue this command:
  
{{bc|# systemctl start pgl.service}}
+
# pglcmd test
  
To make sure that ''pgl'' works as intended, issue this command:
+
To start ''pgl'' automatically at boot, enable the {{ic|pgl}} service.
  
{{bc|# pglcmd test}}
+
== Running pgl from within a container ==
 +
 
 +
Users running pgl within a [[Linux Container]] may need to modify the package included {{ic|lxc@.service}} to include the loading of key modules needed by pgl.
 +
 
 +
{{hc|/etc/systemd/system/lxc@.service|<nowiki>
 +
[Unit]
 +
Description=%i LXC
 +
After=network.target
  
To start ''pgl'' automatically, use the following syntax to activate it:
+
[Service]
 +
Type=forking
 +
ExecStartPre=/usr/bin/modprobe -a xt_NFQUEUE xt_mark xt_iprange
 +
ExecStart=/usr/bin/lxc-start -d -n %i
 +
ExecStop=/usr/bin/lxc-stop -n %i
 +
Delegate=true
  
{{bc|# systemctl enable pgl.service}}
+
[Install]
 +
WantedBy=multi-user.target
 +
</nowiki>}}

Latest revision as of 04:16, 9 August 2015

PeerGuardian Linux (pgl) is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge block lists (thousands or millions of IP ranges). pgl is based on the Linux kernel netfilter framework and iptables.

A more native, efficient solution to achieve the same end is to use the ipset kernel module in conjunction with the pg2ipset tool and the ipset-update script.

Installation

There are two AUR packages to choose from: pgl-cliAUR includes only the daemon and CLI tools, while pglAUR comes complete with a GUI (written using Qt).

Configuration

  • /etc/pgl/blocklists.list contains a list of URL for retrieving the various block lists.
  • /etc/pgl/pglcmd.conf, empty by default, overrides the default settings present in /usr/lib/pgl/pglcmd.defaults.
  • /etc/pgl/allow.p2p lists custom IP ranges that will not be filtered.

The default lists in /etc/pgl/blocklists.list block many potentially legitimate IP address. Users are encouraged to exercise best judgment and the information available at I-Blocklist.

It is recommended to disable the filtering of HTTP connections by adding the following to /etc/pgl/pglcmd.conf:

/etc/pgl/pglcmd.conf
WHITE_TCP_OUT="http https"

Some program might not be able to reach the outside world. For instance, users of MSN for instant messaging, will need to add port 1863 to the white list:

/etc/pgl/pglcmd.conf
WHITE_TCP_OUT="http https msnp"

Conversely, one could white list all the ports except the ones used by the program to be blocked. The following example only use the block lists to stop incoming traffic on ports 53 (DNS) and 80 (HTTP):

/etc/pgl/pglcmd.conf
WHITE_TCP_IN="0:79 81:65535"
WHITE_UDP_IN="0:52 54:65535"

Server

systemd initialization of the system means that it's quite possible for a server to be briefly unprotected, prior to pgl launch. To ensure adequate protection, create a service file named after the original server (i.e. /etc/systemd/system/httpd.service and paste the following:

/etc/systemd/system/httpd.service
.include /usr/lib/systemd/system/httpd.service

[Unit]
Wants=pgl.service
After=pgl.service

LAN

By default, pgl blocks traffic on the local IPv4 addresses. To disable this behavior, edit /etc/pgl/pglcmd.conf to add an exception using the WHITE_IP_* setting:

/etc/pgl/pglcmd.conf
WHITE_IP_OUT="192.168.0.0/24"
/etc/pgl/pglcmd.conf
WHITE_IP_IN="192.168.0.0/24"

For further information, please refer to the # Whitelist IPs # section of /usr/lib/pgl/pglcmd.defaults.

Starting up

Once comfortable with the configuration of both the daemon and lists, start the pgl service. To make sure that pgl works as intended, issue this command:

# pglcmd test

To start pgl automatically at boot, enable the pgl service.

Running pgl from within a container

Users running pgl within a Linux Container may need to modify the package included lxc@.service to include the loading of key modules needed by pgl.

/etc/systemd/system/lxc@.service
[Unit]
Description=%i LXC
After=network.target

[Service]
Type=forking
ExecStartPre=/usr/bin/modprobe -a xt_NFQUEUE xt_mark xt_iprange
ExecStart=/usr/bin/lxc-start -d -n %i
ExecStop=/usr/bin/lxc-stop -n %i
Delegate=true

[Install]
WantedBy=multi-user.target