PeerGuardian Linux (pgl) is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge block lists (thousands or millions of IP ranges). pgl is based on the Linux kernel netfilter framework and iptables.
All the configuration files are located in
blocklists.listcontains a list of URL for retrieving the various block lists,
pglcmd.conf, empty by default, overrides the default settings present in
allow.p2plists custom IP ranges that will not be filtered.
The most important aspect that you will want to change as soon as possible are the preconfigured block lists. The default lists in
/etc/pgl/blocklists.list block many potentially legitimate IP address, so use your best judgment and the information available at I-Blocklist to make your choice.
If you install pgl on a workstation, it is recommended to disable the filtering of HTTP connections by adding the following to
Also, depending on the lists you use, some program might not be able to reach the outside world. For instance, if you use MSN for instant messaging, you will need to add port 1863 to the white list:
WHITE_TCP_OUT="http https msnp"
Conversely, you could white list all the ports except the ones used by the program you are trying to restrain. The following example only use the block lists to stop incoming traffic on ports 53 (DNS) and 80 (HTTP):
WHITE_TCP_IN="0:79 81:65535" WHITE_UDP_IN="0:52 54:65535"
Since it is best to start pgl after your iptables based firewall, you should create an override for pgl.service by editing
/etc/systemd/system/pgl.service and adding your firewall service to the "After=" argument. This will ensure that pgl only starts after all the rules have been properly set up.
Here is an example when using the Uncomplicated Firewall:
.include /usr/lib/systemd/system/pgl.service [Unit] After=ufw.service
If you have already enabled the pgl.service, type the following command to update systemd:
# systemctl reenable pgl.service
By default, pgl does not block traffic on your local IPv4 addresses. To enable this behavior, you need to manually install the net-tools package or use the WHITE_IP_* settings as described below.
Let us say that pgl is installed on your workstation (192.168.0.5) and you want to reach some services on another computer (192.168.0.1) on your LAN. Simply add the following to
If your workstation also hosts services that you would make available to your LAN, add:
For further information, please refer to the # Whitelist IPs # section of
Once you are comfortable with the configuration of both the daemon and lists, type in:
# systemctl start pgl.service
To make sure that pgl works as intended, issue this command:
# pglcmd test
Should you want pgl to run automatically, use the following syntax to activate it:
# systemctl enable pgl.service