Re: General MoBlock thread
Hi,
I have came accross error message in /var/log/pgl/pgld.log:
Code:
ERROR: Unbinding from queue '23552', recv returned No buffer space available
using version 2.2.1
I have read something about it on this forum in post #131
and
http://www.vyatta.org/forum/viewtopi...43bca4c26909b7
but did not understand much.
Could you please let me know where to increase this buffer ?
Is it possible to do it without changing source code ?
thank you,
kind regards,
M.
Re: General MoBlock thread
Hi,
I have came across some nice idea to block ICMP from internet but allow it from intranet:
http://serverfault.com/questions/849...not-block-icmp
Quote:
Copy/Paste from the web site:
# --- I allow ICMP traffic from local intranet, block it from Internet.
# --- That way my server is all but invisible online (it responds only on a non standard SSH port).
iptables -I INPUT 7 -d 208.180.X.X -p icmp --icmp-type 8 -j DROP
iptables -I INPUT 8 -d 208.180.X.X -p icmp --icmp-type 0 -j DROP
iptables -I INPUT 9 -d 208.180.X.X -p icmp --icmp-type 11 -j DROP
# --- This inserts it after the standard loopback, established, LAN whitelist, VOIP provider whitelist, and SSH port ACCEPTs. I allow the traffic I want, and then do my best to keep the server invisible to the rest of the world.
so I changed it to (in /etc/pgl/iptables-custom-insert.sh):
Code:
iptables -I pgl_in -p icmp --icmp-type 8 -j DROP
iptables -I pgl_in -p icmp --icmp-type 0 -j DROP
iptables -I pgl_in -p icmp --icmp-type 11 -j DROP
I would like to know if it is really working as it has been said on that web page and how to implement it for MoBlock (do I need to specify address as it is in original form) ?
thank you,
kind regards,
M.
Re: General MoBlock thread
Hi, I'm sticking with Mobloquer on my 12.04 install because of the HTTP & HTTPS exception options, do you think you could add a GUI option to PGL of adding exceptions like Mobloquer had? I know you can edit the config file but it seems like a downgrade from Mobloquer and I haven't tested out PGL on my main computer as I'm afraid it will block various access like torrents and http.
1 Attachment(s)
Re: General MoBlock thread
You already can do that, just make sure you have pglgui installed.
Re: General MoBlock thread
As Gavin77 already said.
Besides that:
Quote:
Originally Posted by
PD808
as I'm afraid it will block various access like torrents and http.
Err, if you want to whitelist torrent ports, you really should re-think why you want to install pgl. Whitelisting torrent ports just contradicts the purpose of pgl. If you have problems connecting to trackers you should better whitelist trusted tracker IPs or use less blocklists.
Re: General MoBlock thread
Sorry for the long delay.
Quote:
Originally Posted by
masuch
Could you please let me know where to increase this buffer ?
I last heard about this issue several years ago. So it's already in the TODO.
Anyway, add this to your system's config (you may add it to /etc/pgl/insert.sh if you don't know a better file)
Code:
sysctl -w net.core.rmem_default=8388608
sysctl -w net.core.wmem_default=8388608
Re: General MoBlock thread
Quote:
Originally Posted by
masuch
Hi,
I have came across some nice idea to block ICMP from internet but allow it from intranet:
http://serverfault.com/questions/849...not-block-icmp
so I changed it to (in /etc/pgl/iptables-custom-insert.sh):
Code:
iptables -I pgl_in -p icmp --icmp-type 8 -j DROP
iptables -I pgl_in -p icmp --icmp-type 0 -j DROP
iptables -I pgl_in -p icmp --icmp-type 11 -j DROP
I would like to know if it is really working as it has been said on that web page and how to implement it for MoBlock (do I need to specify address as it is in original form) ?
If you want ICMP to be checked by moblock/pgl you don't need to change anything. Every ICMP packet from an IP listed in your blocklists will be dropped (like every other packet from bad IPs). Because of the automatic LAN whitelisting feature of pgl intranet ICMP packets will not be checked by pgl. I think this is what you want.
If you want to block all ICMP packets (independent whether their origin is listed in the blocklists) then your approach seems to be correct. It doesn't matter whether you place these DROP rules in pgl_in or INPUT, both work because this stuff is independent from pgl.
I don't know these icmp types, so I just can say: with your rules all ICMP packets of type 8, 0 or 11 coming to your computer get dropped. To exempt intranet packets you may make use of pgl's automatic LAN whitelisting by changing the insert command in your rules to e.g. "insert on fourth place --> after the LAN whitelisting rules). Tell me if you want to go this way (I doubt so) and need help.
Re: General MoBlock thread
Thanks jre / Gavin77, I installed pgl over mobloquer and it's working great, and it brought over my settings from mobloquer. Torrents are working. (No, I didn't whitelist my torrent ports) One thing is though now I have duplicate blocklists, any way to fix that? EDIT: nevermind there's a delete button.
Re: General MoBlock thread
So I have implemented the changes recommended http://ubuntuforums.org/showpost.php...&postcount=619 and they seem to be working. Although now I only seem to be filtering UDP bittorent traffic. I think however this is a problem with ipp2p and not pgl.
I'm running pgl on my firewall/gateway box and right now all my bittorrent connections are being filtered in the forward chain because my ip range 192.168.0.0/24 is somewhere in the list. I really would only like it to check the external destination in this case and whitelist my local lan IPs in the forward chain. The allow.p2p file is for in/out and not forward.
Sean
Re: General MoBlock thread
Use "pglcmd search 192.168.0.0" to identify the blocklist and the line that cause the blocking. Maybe you have to experiment a bit with the search pattern (it's used with grep -Ei "$SEARCHPATTERN" "$BLOCKLIST"
I think all other ways of whitelisting the LAN for FORWARD can't work. so it is good that you use allow.p2p not for FORWARD.