Page 9 of 120 FirstFirst ... 78910111959109 ... LastLast
Results 81 to 90 of 1196

Thread: Moblock (peerguardian linux alternative)

  1. #81

    Re: Moblock (peerguardian linux alternative)

    Quote Originally Posted by haani
    doesnt work firestarter says that it can't connect/start!! when i remove the text from /etc/firestarter/user-per than it works!! so i am thinkin that there is no way of workin moblock and firestarter together??
    ok, you have to leave out the
    Code:
    if [ -f $PIDF  ]; then
            PID=`cat $PIDF`
            if [ `ps -p $PID|wc -l` -gt 1 ]; then
                    echo "$0: $PIDF exists and processs seems to be running. Exiting."
                    exit 1;
            fi;
    fi;
    I thought that's obvious.

    I did what I never wanted: spending time on firestarter Leaving out the lines above just works fine. The firestarter firewall is being build up and moblock starts blocking things. I tested it.

    Here's the file user-pre for copy & paste:
    Code:
    #!/bin/sh
    #
    # MoBlock.sh - MoBlock start script
    # ---------------------------------
    
    ACTIVATE_CHAINS=1
    WHITE_TCP_IN=""
    WHITE_UDP_IN=""
    WHITE_TCP_OUT="http https 1863"
    WHITE_UDP_OUT=""
    WHITE_TCP_FORWARD=""
    WHITE_UDP_FORWARD=""
    
    
    PIDF=/var/run/moblock.pid
    
    FNAME=`basename $0 .sh`
    MODE=`echo $FNAME|awk -F-  '{print $2}'`
    
    if [ -f /usr/bin/moblock-ipq ]; then
    	modprobe ip_queue
    	TARGET="QUEUE"
    elif [ -f /usr/bin/moblock-nfq ]; then
    	modprobe ipt_NFQUEUE
    	TARGET="NFQUEUE"
    fi;
    
    modprobe ipt_state
    
    # Filter all traffic, edit for your needs
    
    iptables -N MOBLOCK_IN
    iptables -N MOBLOCK_OUT
    iptables -N MOBLOCK_FW
    
    if [ $ACTIVATE_CHAINS -eq 1 ]; then
    	iptables -I INPUT -p all -m state --state NEW -j MOBLOCK_IN
    	iptables -I OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
    	iptables -I FORWARD -p all -m state --state NEW -j MOBLOCK_FW	
    fi;
    
    
    iptables -I MOBLOCK_IN -p all -j $TARGET
    #iptables -I MOBLOCK_IN -m state --state ESTABLISHED,RELATED -j ACCEPT 
    
    iptables -I MOBLOCK_OUT -p all -j $TARGET
    #iptables -I MOBLOCK_OUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
    
    iptables -I MOBLOCK_FW -p all -j $TARGET
    #iptables -I MOBLOCK_FW -m state --state ESTABLISHED,RELATED -j ACCEPT 
    
    for PORT in $WHITE_TCP_OUT; do
    	iptables -I MOBLOCK_OUT -p tcp --dport $PORT -j ACCEPT
    done
    for PORT in $WHITE_UDP_OUT; do
    	iptables -I MOBLOCK_OUT -p udp --dport $PORT -j ACCEPT
    done
    
    for PORT in $WHITE_TCP_IN; do
    	iptables -I MOBLOCK_IN -p tcp --dport $PORT -j ACCEPT
    done
    for PORT in $WHITE_UDP_IN; do
    	iptables -I MOBLOCK_IN -p udp --dport $PORT -j ACCEPT
    done
    
    for PORT in $WHITE_TCP_FORWARD; do
    	iptables -I MOBLOCK_FW -p tcp --dport $PORT -j ACCEPT
    done
    for PORT in $WHITE_UDP_FORWARD; do
    	iptables -I MOBLOCK_FW -p udp --dport $PORT -j ACCEPT
    done
    
    
    # Loopback traffic fix
    
    iptables -I INPUT -p all -i lo -j ACCEPT
    iptables -I OUTPUT -p all -o lo -j ACCEPT
    There is just one problem left: AFAIK, if traffic is put into moblock's queue and moblock (or any other program that uses the same interface) decides that the package is accepted, it is accepted. Period. (Same as -j ACCEPT when using iptables, no possibility to use something similar to -j RETURN which enables the package to traverse the remaining rules of the firewall to be checked there, too)

    So using what I posted above means putting moblock in front of firestarter, effectively leaving firestarter's rules unused because moblock is filtering everything.
    You can only use firestarter to watch open connections


    You can fix part of this problem by putting all stuff into the file user-post, leaving user-pre empty and by replacing
    Code:
    if [ $ACTIVATE_CHAINS -eq 1 ]; then
    	iptables -I INPUT -p all -m state --state NEW -j MOBLOCK_IN
    	iptables -I OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
    	iptables -I FORWARD -p all -m state --state NEW -j MOBLOCK_FW	
    fi;
    by
    Code:
    if [ $ACTIVATE_CHAINS -eq 1 ]; then
    	iptables -A INPUT -p all -m state --state NEW -j MOBLOCK_IN
    	iptables -A OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
    	iptables -A FORWARD -p all -m state --state NEW -j MOBLOCK_FW	
    fi;
    But this only replaces the problem by another: now firestarter is in charge and if firestarter decides that a packages is to be accepted, it may do so without consulting moblock.


    This is one of the reasons for which on sourceforge.net I categorized moblock as software for "advanced end users": you should know how to use iptables before you use moblock. You can do without as per default the package blocks things. But if you want to integrate it in another firewall you need to know, what is going on.

    I you are brave and grok the iptables documentation you can insert the moblock chains into firestarter's rules at exactly the places that make sense in your individual case.

    It may make sense to use
    Code:
    if [ $ACTIVATE_CHAINS -eq 1 ]; then
    
    	iptables -A INBOUND -p all -m state --state NEW -j MOBLOCK_IN
    
    	#where in output?
    	OLINE=$((`iptables -L OUTBOUND|wc -l` - 2 ))
    	iptables -R OUTBOUND $OLINE -p all -m state --state NEW -j MOBLOCK_OUT
    
    	iptables -A FORWARD -p all -m state --state NEW -j MOBLOCK_FW	
    fi;
    in the file user-post.
    But I cannot guarantee that it does what you want.

    The moral of this story is: You are not secure if you don't know what your firewall does. Even if you do, you may be not secure, but it's better than the first case.
    Last edited by clessing; July 3rd, 2006 at 05:27 PM.

  2. #82
    Join Date
    Jul 2005
    Beans
    574
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Moblock (peerguardian linux alternative)

    are u still planning on a moblock/firehol combo thingy?
    hardy 64 bit

  3. #83
    Join Date
    Jan 2006
    Beans
    30

    Re: Moblock (peerguardian linux alternative)

    Quote Originally Posted by smartalecks
    you have to run it as the root user, so you would use sudo.

    Code:
    sudo gpg --keyserver subkeys.pgp.net --recv DEDA0559
    sudo gpg --export --armor DEDA0559 | sudo apt-key add -
    Still struggling with this lol:

    gpg: external program calls are disabled due to unsafe options file permissions
    gpg: keyserver communications error: general error
    gpg: keyserver receive failed: general error

  4. #84
    Join Date
    Jul 2006
    Beans
    1

    Question Re: Moblock (peerguardian linux alternative)

    I've got a predicament. I would like to be running moblock and still be able to run all of my web based programs and games. It is inevitable that every time I update the list it puts ranges back in that I don't want. Is there a way to set up exemptions, kind of in the way of peer guardians permallow.p2b? It certainly gets old digging through the blocklist all of the time and removing the same stuff.

  5. #85

    Re: Moblock (peerguardian linux alternative)

    Quote Originally Posted by bigdon06
    I would like to be running moblock and still be able to run all of my web based programs and games.
    Moblock itself has no whitelisting functionality.

    But if it's all about surfing I suggest that you

    put WHITE_TCP_OUT="http https" into your moblock start script in /etc/moblock. But that's there by default so you shouldn't have a problem surfing.
    Another possibility to whitelist ips is to put something like

    iptables -I OUTPUT -d a.b.c.d -j ACCEPT
    or
    iptables -I OUTPUT -d a.b.c.0/24 -j ACCEPT

    into your firewall (first example is a single ip, second example is a net with netmask)

  6. #86
    Join Date
    Nov 2005
    Location
    Scandinavia
    Beans
    938

    Re: Moblock (peerguardian linux alternative)

    Hi. I just wanted to say i have no time to spare to make a complete moblock GUI, because i am currently working all day long, 6 days a week. Sorry about that. Hopefully someone else have the time to code a decent GUI before i have time to do so...

    About whitelisting certain ips... You would only have to write a simple bash/python script to remove those ips/ranges, and execute it after a succesfull update of the blocklist.
    Last edited by pelle.k; July 9th, 2006 at 06:44 PM.

  7. #87
    Join Date
    Mar 2005
    Beans
    6

    Re: Moblock (peerguardian linux alternative)

    Hi folks,

    I don't really post here that much (long time lurker), but I see you're looking for a moblock gui! Well, I've been working on one in gnome-python for the past few days, and it's about half done. I ran across this thread and thought I'd let you guys know about it so you don't duplicate work.

    It'll have a dbus daemon, a notification applet and a preferences item. The first is mostly done, the second is trivial and I haven't gotten started on the last part.

    I'll start a new thread when my sourceforge project is approved and I release something (a few days to a week).

    Here are some screenshots; the first one is of the preference panel, and the second one is what you get when you click the notification icon.
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	Screenshot-P2P Blocklists Preferences.png 
Views:	202 
Size:	8.5 KB 
ID:	12482   Click image for larger version. 

Name:	Screenshot-P2P Blocklists Status.png 
Views:	175 
Size:	8.0 KB 
ID:	12483  

  8. #88

    Re: Moblock (peerguardian linux alternative)

    Quote Originally Posted by mikji View Post
    Hi folks,

    I don't really post here that much (long time lurker), but I see you're looking for a moblock gui! Well, I've been working on one in gnome-python for the past few days, and it's about half done. I ran across this thread and thought I'd let you guys know about it so you don't duplicate work.
    Looks great. Please drop me a line when you're releasing it. I'd love to provide debian packages along with the moblock-deb stuff if you don't mind.

  9. #89
    Join Date
    Jul 2005
    Beans
    574
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Moblock (peerguardian linux alternative)

    bah so it doesent work on 64 bit? i was planning to install 64 bit ubuntu tonight :/

    is there and chance there will be a 64 bit version at some stage in the not too distant future ? or are there any alternative programs that does the same and works on 64 bit?
    hardy 64 bit

  10. #90

    Re: Moblock (peerguardian linux alternative)

    Quote Originally Posted by jamesford View Post

    is there and chance there will be a 64 bit version at some stage in the not too distant future ? or are there any alternative programs that does the same and works on 64 bit?
    You should be able to compile moblock and build the package on 64bit. (have a look at "apt-get source", "apt-get build-dep" and "dpkg-buildpackage").

    At the moment I can't afford the time to work on the package let alone setting up a cross-compiling environment to build 64bit packages.

    However, chances are, that I will do this in September/October.

Page 9 of 120 FirstFirst ... 78910111959109 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •