PeerGuardian Linux (pgl) is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge block lists (thousands or millions of IP ranges). pgl is based on the Linux kernel netfilter framework and iptables.
There are two AUR packages to choose from: AUR includes only the daemon and CLI tools, while AUR comes complete with a GUI (written using Qt).
/etc/pgl/blocklists.listcontains a list of URL for retrieving the various block lists.
/etc/pgl/pglcmd.conf, empty by default, overrides the default settings present in
/etc/pgl/allow.p2plists custom IP ranges that will not be filtered.
The default lists in
/etc/pgl/blocklists.list block many potentially legitimate IP address. Users are encouraged to exercise best judgment and the information available at I-Blocklist.
It is recommended to disable the filtering of HTTP connections by adding the following to
Some program might not be able to reach the outside world. For instance, users of MSN for instant messaging, will need to add port 1863 to the white list:
WHITE_TCP_OUT="http https msnp"
Conversely, one could white list all the ports except the ones used by the program to be blocked. The following example only use the block lists to stop incoming traffic on ports 53 (DNS) and 80 (HTTP):
WHITE_TCP_IN="0:79 81:65535" WHITE_UDP_IN="0:52 54:65535"
/etc/systemd/system/pgl.service pasting the following to ensure that pgl only starts after all the rules have been properly set up. This example must be adapted to work with other firewalls (ufw, shorewall, etc.):
.include /usr/lib/systemd/system/pgl.service [Unit] After=iptables.service
systemd initialization of the system means that it's quite possible for a server to be briefly unprotected, prior to pgl launch. To ensure adequate protection, create a service file named after the original server (i.e.
/etc/systemd/system/httpd.service and paste the following:
.include /usr/lib/systemd/system/httpd.service [Unit] Wants=pgl.service After=pgl.service
By default, pgl blocks traffic on the local IPv4 addresses. To disable this behavior, edit
/etc/pgl/pglcmd.conf to add an exception using the WHITE_IP_* setting:
For further information, please refer to the # Whitelist IPs # section of
Once comfortable with the configuration of both the daemon and lists, type in:
# systemctl start pgl.service
To make sure that pgl works as intended, issue this command:
# pglcmd test
To start pgl automatically, use the following syntax to activate it:
# systemctl enable pgl.service