Page 63 of 65 FirstFirst ... 13536162636465 LastLast
Results 621 to 630 of 650

Thread: General MoBlock thread

  1. #621
    Join Date
    May 2008
    Location
    /dev/null
    Beans
    216
    Distro
    Ubuntu

    Question Re: General MoBlock thread

    Hi,

    I have came accross error message in /var/log/pgl/pgld.log:
    Code:
    ERROR: Unbinding from queue '23552', recv returned No buffer space available
    using version 2.2.1

    I have read something about it on this forum in post #131
    and
    http://www.vyatta.org/forum/viewtopi...43bca4c26909b7

    but did not understand much.

    Could you please let me know where to increase this buffer ?
    Is it possible to do it without changing source code ?

    thank you,
    kind regards,
    M.

  2. #622
    Join Date
    May 2008
    Location
    /dev/null
    Beans
    216
    Distro
    Ubuntu

    Question Re: General MoBlock thread

    Hi,

    I have came across some nice idea to block ICMP from internet but allow it from intranet:
    http://serverfault.com/questions/849...not-block-icmp

    Copy/Paste from the web site:
    # --- I allow ICMP traffic from local intranet, block it from Internet.
    # --- That way my server is all but invisible online (it responds only on a non standard SSH port).
    iptables -I INPUT 7 -d 208.180.X.X -p icmp --icmp-type 8 -j DROP
    iptables -I INPUT 8 -d 208.180.X.X -p icmp --icmp-type 0 -j DROP
    iptables -I INPUT 9 -d 208.180.X.X -p icmp --icmp-type 11 -j DROP
    # --- This inserts it after the standard loopback, established, LAN whitelist, VOIP provider whitelist, and SSH port ACCEPTs. I allow the traffic I want, and then do my best to keep the server invisible to the rest of the world.
    so I changed it to (in /etc/pgl/iptables-custom-insert.sh):
    Code:
    iptables -I pgl_in -p icmp --icmp-type 8 -j DROP
    iptables -I pgl_in -p icmp --icmp-type 0 -j DROP
    iptables -I pgl_in -p icmp --icmp-type 11 -j DROP
    I would like to know if it is really working as it has been said on that web page and how to implement it for MoBlock (do I need to specify address as it is in original form) ?

    thank you,
    kind regards,
    M.

  3. #623
    Join Date
    Jul 2011
    Beans
    6

    Re: General MoBlock thread

    Hi, I'm sticking with Mobloquer on my 12.04 install because of the HTTP & HTTPS exception options, do you think you could add a GUI option to PGL of adding exceptions like Mobloquer had? I know you can edit the config file but it seems like a downgrade from Mobloquer and I haven't tested out PGL on my main computer as I'm afraid it will block various access like torrents and http.

  4. #624
    Join Date
    Dec 2006
    Beans
    163
    Distro
    Kubuntu Development Release

    Re: General MoBlock thread

    You already can do that, just make sure you have pglgui installed.
    Attached Images Attached Images

  5. #625
    Join Date
    Jan 2007
    Beans
    772

    Re: General MoBlock thread

    As Gavin77 already said.

    Besides that:
    Quote Originally Posted by PD808 View Post
    as I'm afraid it will block various access like torrents and http.
    Err, if you want to whitelist torrent ports, you really should re-think why you want to install pgl. Whitelisting torrent ports just contradicts the purpose of pgl. If you have problems connecting to trackers you should better whitelist trusted tracker IPs or use less blocklists.
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

  6. #626
    Join Date
    Jan 2007
    Beans
    772

    Re: General MoBlock thread

    Sorry for the long delay.

    Quote Originally Posted by masuch View Post
    Could you please let me know where to increase this buffer ?
    I last heard about this issue several years ago. So it's already in the TODO.
    Anyway, add this to your system's config (you may add it to /etc/pgl/insert.sh if you don't know a better file)
    Code:
    sysctl -w net.core.rmem_default=8388608
    sysctl -w net.core.wmem_default=8388608
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

  7. #627
    Join Date
    Jan 2007
    Beans
    772

    Re: General MoBlock thread

    Quote Originally Posted by masuch View Post
    Hi,

    I have came across some nice idea to block ICMP from internet but allow it from intranet:
    http://serverfault.com/questions/849...not-block-icmp



    so I changed it to (in /etc/pgl/iptables-custom-insert.sh):
    Code:
    iptables -I pgl_in -p icmp --icmp-type 8 -j DROP
    iptables -I pgl_in -p icmp --icmp-type 0 -j DROP
    iptables -I pgl_in -p icmp --icmp-type 11 -j DROP
    I would like to know if it is really working as it has been said on that web page and how to implement it for MoBlock (do I need to specify address as it is in original form) ?
    If you want ICMP to be checked by moblock/pgl you don't need to change anything. Every ICMP packet from an IP listed in your blocklists will be dropped (like every other packet from bad IPs). Because of the automatic LAN whitelisting feature of pgl intranet ICMP packets will not be checked by pgl. I think this is what you want.

    If you want to block all ICMP packets (independent whether their origin is listed in the blocklists) then your approach seems to be correct. It doesn't matter whether you place these DROP rules in pgl_in or INPUT, both work because this stuff is independent from pgl.
    I don't know these icmp types, so I just can say: with your rules all ICMP packets of type 8, 0 or 11 coming to your computer get dropped. To exempt intranet packets you may make use of pgl's automatic LAN whitelisting by changing the insert command in your rules to e.g. "insert on fourth place --> after the LAN whitelisting rules). Tell me if you want to go this way (I doubt so) and need help.
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

  8. #628
    Join Date
    Jul 2011
    Beans
    6

    Re: General MoBlock thread

    Thanks jre / Gavin77, I installed pgl over mobloquer and it's working great, and it brought over my settings from mobloquer. Torrents are working. (No, I didn't whitelist my torrent ports) One thing is though now I have duplicate blocklists, any way to fix that? EDIT: nevermind there's a delete button.
    Last edited by PD808; July 20th, 2012 at 01:38 AM.

  9. #629
    Join Date
    Oct 2009
    Beans
    5

    Re: General MoBlock thread

    So I have implemented the changes recommended http://ubuntuforums.org/showpost.php...&postcount=619 and they seem to be working. Although now I only seem to be filtering UDP bittorent traffic. I think however this is a problem with ipp2p and not pgl.

    I'm running pgl on my firewall/gateway box and right now all my bittorrent connections are being filtered in the forward chain because my ip range 192.168.0.0/24 is somewhere in the list. I really would only like it to check the external destination in this case and whitelist my local lan IPs in the forward chain. The allow.p2p file is for in/out and not forward.

    Sean

  10. #630
    Join Date
    Jan 2007
    Beans
    772

    Re: General MoBlock thread

    Use "pglcmd search 192.168.0.0" to identify the blocklist and the line that cause the blocking. Maybe you have to experiment a bit with the search pattern (it's used with grep -Ei "$SEARCHPATTERN" "$BLOCKLIST"

    I think all other ways of whitelisting the LAN for FORWARD can't work. so it is good that you use allow.p2p not for FORWARD.
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

Page 63 of 65 FirstFirst ... 13536162636465 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •