PeerGuardian Linux

PeerGuardian Linux (pgl) is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge block lists (thousands or millions of IP ranges). pgl is based on the Linux kernel netfilter framework and iptables.

A more native, efficient solution to achieve the same end is to use the ipset kernel module in conjunction with the pg2ipset tool and the ipset-update script.

Installation

There are two AUR packages to choose from: pgl-cliAUR includes only the daemon and CLI tools, while pglAUR comes complete with a GUI (written using Qt).

Configuration

  • /etc/pgl/blocklists.list contains a list of URL for retrieving the various block lists.
  • /etc/pgl/pglcmd.conf, empty by default, overrides the default settings present in /usr/lib/pgl/pglcmd.defaults.
  • /etc/pgl/allow.p2p lists custom IP ranges that will not be filtered.

The default lists in /etc/pgl/blocklists.list block many potentially legitimate IP address. Users are encouraged to exercise best judgment and the information available at I-Blocklist.

It is recommended to disable the filtering of HTTP connections by adding the following to /etc/pgl/pglcmd.conf:

/etc/pgl/pglcmd.conf
WHITE_TCP_OUT="http https"

Conversely, one could white list all the ports except the ones used by the program to be blocked. The following example only use the block lists to stop incoming traffic on ports 53 (DNS) and 80 (HTTP):

/etc/pgl/pglcmd.conf
WHITE_TCP_IN="0:79 81:65535"
WHITE_UDP_IN="0:52 54:65535"

Server

systemd initialization of the system means that it is quite possible for a server to be briefly unprotected, prior to pgl launch. To ensure adequate protection, extend the unit httpd.service with the following:

/etc/systemd/system/httpd.service.d/override.conf
[Unit]
Wants=pgl.service
After=pgl.service

LAN

By default, pgl blocks traffic on the local IPv4 addresses. To disable this behavior, edit /etc/pgl/pglcmd.conf to add an exception using the WHITE_IP_* setting:

/etc/pgl/pglcmd.conf
WHITE_IP_OUT="192.168.0.0/24"

For further information, please refer to the section of /usr/lib/pgl/pglcmd.defaults.

Starting up

Once comfortable with the configuration of both the daemon and lists, start the service. To make sure that pgl works as intended, issue this command:

# pglcmd test

To start pgl automatically at boot, enable the service.

Running pgl from within a container

Users running pgl within a Linux Container may need to edit the included to add the loading of key modules needed by pgl.

/etc/systemd/system/lxc@.service
[Unit]
Description=%i LXC
After=network.target

[Service]
Type=forking
ExecStartPre=/usr/bin/modprobe -a xt_NFQUEUE xt_mark xt_iprange
ExecStart=/usr/bin/lxc-start -d -n %i
ExecStop=/usr/bin/lxc-stop -n %i
Delegate=true

[Install]
WantedBy=multi-user.target
gollark: It's pulled from a PRNG, sure, but the entropy for that is supplied by a hardware RNG or something.
gollark: > well technically computers are not randomI mean, depends how "random" you mean.
gollark: > not free though. I just mean that it finds random stuff> I... don't think so, randomly generating images would be trivial and look bad.I nerdsniped myself trying to demonstrate this.
gollark: Here's a bigger one, if you want for whatever reason.
gollark: Looks like an artifact of scaling it.
This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.