Moblock (peerguardian linux alternative)

**clessing** · July 3rd, 2006

Originally Posted by haani

doesnt work firestarter says that it can't connect/start!! when i remove the text from /etc/firestarter/user-per than it works!! so i am thinkin that there is no way of workin moblock and firestarter together??

ok, you have to leave out the

Code:

if [ -f $PIDF  ]; then
        PID=`cat $PIDF`
        if [ `ps -p $PID|wc -l` -gt 1 ]; then
                echo "$0: $PIDF exists and processs seems to be running. Exiting."
                exit 1;
        fi;
fi;

I thought that's obvious.

I did what I never wanted: spending time on firestarter

Leaving out the lines above just works fine. The firestarter firewall is being build up and moblock starts blocking things. I tested it.

Here's the file user-pre for copy & paste:

Code:

#!/bin/sh
#
# MoBlock.sh - MoBlock start script
# ---------------------------------

ACTIVATE_CHAINS=1
WHITE_TCP_IN=""
WHITE_UDP_IN=""
WHITE_TCP_OUT="http https 1863"
WHITE_UDP_OUT=""
WHITE_TCP_FORWARD=""
WHITE_UDP_FORWARD=""


PIDF=/var/run/moblock.pid

FNAME=`basename $0 .sh`
MODE=`echo $FNAME|awk -F-  '{print $2}'`

if [ -f /usr/bin/moblock-ipq ]; then
	modprobe ip_queue
	TARGET="QUEUE"
elif [ -f /usr/bin/moblock-nfq ]; then
	modprobe ipt_NFQUEUE
	TARGET="NFQUEUE"
fi;

modprobe ipt_state

# Filter all traffic, edit for your needs

iptables -N MOBLOCK_IN
iptables -N MOBLOCK_OUT
iptables -N MOBLOCK_FW

if [ $ACTIVATE_CHAINS -eq 1 ]; then
	iptables -I INPUT -p all -m state --state NEW -j MOBLOCK_IN
	iptables -I OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
	iptables -I FORWARD -p all -m state --state NEW -j MOBLOCK_FW	
fi;


iptables -I MOBLOCK_IN -p all -j $TARGET
#iptables -I MOBLOCK_IN -m state --state ESTABLISHED,RELATED -j ACCEPT 

iptables -I MOBLOCK_OUT -p all -j $TARGET
#iptables -I MOBLOCK_OUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

iptables -I MOBLOCK_FW -p all -j $TARGET
#iptables -I MOBLOCK_FW -m state --state ESTABLISHED,RELATED -j ACCEPT 

for PORT in $WHITE_TCP_OUT; do
	iptables -I MOBLOCK_OUT -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_OUT; do
	iptables -I MOBLOCK_OUT -p udp --dport $PORT -j ACCEPT
done

for PORT in $WHITE_TCP_IN; do
	iptables -I MOBLOCK_IN -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_IN; do
	iptables -I MOBLOCK_IN -p udp --dport $PORT -j ACCEPT
done

for PORT in $WHITE_TCP_FORWARD; do
	iptables -I MOBLOCK_FW -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_FORWARD; do
	iptables -I MOBLOCK_FW -p udp --dport $PORT -j ACCEPT
done


# Loopback traffic fix

iptables -I INPUT -p all -i lo -j ACCEPT
iptables -I OUTPUT -p all -o lo -j ACCEPT

There is just one problem left: AFAIK, if traffic is put into moblock's queue and moblock (or any other program that uses the same interface) decides that the package is accepted, it is accepted. Period. (Same as -j ACCEPT when using iptables, no possibility to use something similar to -j RETURN which enables the package to traverse the remaining rules of the firewall to be checked there, too)

So using what I posted above means putting moblock in front of firestarter, effectively leaving firestarter's rules unused because moblock is filtering everything.
You can only use firestarter to watch open connections

You can fix part of this problem by putting all stuff into the file user-post, leaving user-pre empty and by replacing

Code:

if [ $ACTIVATE_CHAINS -eq 1 ]; then
	iptables -I INPUT -p all -m state --state NEW -j MOBLOCK_IN
	iptables -I OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
	iptables -I FORWARD -p all -m state --state NEW -j MOBLOCK_FW	
fi;

by

Code:

if [ $ACTIVATE_CHAINS -eq 1 ]; then
	iptables -A INPUT -p all -m state --state NEW -j MOBLOCK_IN
	iptables -A OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
	iptables -A FORWARD -p all -m state --state NEW -j MOBLOCK_FW	
fi;

But this only replaces the problem by another: now firestarter is in charge and if firestarter decides that a packages is to be accepted, it may do so without consulting moblock.

This is one of the reasons for which on sourceforge.net I categorized moblock as software for "advanced end users": you should know how to use iptables before you use moblock. You can do without as per default the package blocks things. But if you want to integrate it in another firewall you need to know, what is going on.

I you are brave and grok the iptables documentation you can insert the moblock chains into firestarter's rules at exactly the places that make sense in your individual case.

It may make sense to use

Code:

if [ $ACTIVATE_CHAINS -eq 1 ]; then

	iptables -A INBOUND -p all -m state --state NEW -j MOBLOCK_IN

	#where in output?
	OLINE=$((`iptables -L OUTBOUND|wc -l` - 2 ))
	iptables -R OUTBOUND $OLINE -p all -m state --state NEW -j MOBLOCK_OUT

	iptables -A FORWARD -p all -m state --state NEW -j MOBLOCK_FW	
fi;

in the file user-post.
But I cannot guarantee that it does what you want.

The moral of this story is: You are not secure if you don't know what your firewall does. Even if you do, you may be not secure, but it's better than the first case.

**jamesford** · July 3rd, 2006

are u still planning on a moblock/firehol combo thingy?

**smoove** · July 3rd, 2006

Originally Posted by smartalecks

you have to run it as the root user, so you would use sudo.

Code:

sudo gpg --keyserver subkeys.pgp.net --recv DEDA0559
sudo gpg --export --armor DEDA0559 | sudo apt-key add -

Still struggling with this lol:

gpg: external program calls are disabled due to unsafe options file permissions
gpg: keyserver communications error: general error
gpg: keyserver receive failed: general error

**bigdon06** · July 4th, 2006

I've got a predicament. I would like to be running moblock and still be able to run all of my web based programs and games. It is inevitable that every time I update the list it puts ranges back in that I don't want. Is there a way to set up exemptions, kind of in the way of peer guardians permallow.p2b? It certainly gets old digging through the blocklist all of the time and removing the same stuff.

**clessing** · July 4th, 2006

Originally Posted by bigdon06

I would like to be running moblock and still be able to run all of my web based programs and games.

Moblock itself has no whitelisting functionality.

But if it's all about surfing I suggest that you

put WHITE_TCP_OUT="http https" into your moblock start script in /etc/moblock. But that's there by default so you shouldn't have a problem surfing.
Another possibility to whitelist ips is to put something like

iptables -I OUTPUT -d a.b.c.d -j ACCEPT
or
iptables -I OUTPUT -d a.b.c.0/24 -j ACCEPT

into your firewall (first example is a single ip, second example is a net with netmask)

**pelle.k** · July 9th, 2006

Hi. I just wanted to say i have no time to spare to make a complete moblock GUI, because i am currently working all day long, 6 days a week. Sorry about that. Hopefully someone else have the time to code a decent GUI before i have time to do so...

About whitelisting certain ips... You would only have to write a simple bash/python script to remove those ips/ranges, and execute it after a succesfull update of the blocklist.

**mikji** · July 10th, 2006

Hi folks,

I don't really post here that much (long time lurker), but I see you're looking for a moblock gui! Well, I've been working on one in gnome-python for the past few days, and it's about half done. I ran across this thread and thought I'd let you guys know about it so you don't duplicate work.

It'll have a dbus daemon, a notification applet and a preferences item. The first is mostly done, the second is trivial and I haven't gotten started on the last part.

I'll start a new thread when my sourceforge project is approved and I release something (a few days to a week).

Here are some screenshots; the first one is of the preference panel, and the second one is what you get when you click the notification icon.

**clessing** · July 10th, 2006

Originally Posted by mikji

Hi folks,

I don't really post here that much (long time lurker), but I see you're looking for a moblock gui! Well, I've been working on one in gnome-python for the past few days, and it's about half done. I ran across this thread and thought I'd let you guys know about it so you don't duplicate work.

Looks great. Please drop me a line when you're releasing it. I'd love to provide debian packages along with the moblock-deb stuff if you don't mind.

**jamesford** · July 10th, 2006

bah so it doesent work on 64 bit? i was planning to install 64 bit ubuntu tonight :/

is there and chance there will be a 64 bit version at some stage in the not too distant future ? or are there any alternative programs that does the same and works on 64 bit?

**clessing** · July 11th, 2006

Originally Posted by jamesford

is there and chance there will be a 64 bit version at some stage in the not too distant future ? or are there any alternative programs that does the same and works on 64 bit?

You should be able to compile moblock and build the package on 64bit. (have a look at "apt-get source", "apt-get build-dep" and "dpkg-buildpackage").

At the moment I can't afford the time to work on the package let alone setting up a cross-compiling environment to build 64bit packages.

However, chances are, that I will do this in September/October.

Thread: Moblock (peerguardian linux alternative)

Thread Tools

Display

Re: Moblock (peerguardian linux alternative)

Re: Moblock (peerguardian linux alternative)

Re: Moblock (peerguardian linux alternative)

Re: Moblock (peerguardian linux alternative)

Re: Moblock (peerguardian linux alternative)

Re: Moblock (peerguardian linux alternative)

Re: Moblock (peerguardian linux alternative)

Re: Moblock (peerguardian linux alternative)

Re: Moblock (peerguardian linux alternative)

Re: Moblock (peerguardian linux alternative)

Bookmarks

Bookmarks

Posting Permissions