Moblock (peerguardian linux alternative)

[quixotic-cynic]

I'm _not_ quite sure i understand how you mean, ...

Ok, that is not reassuring for me considering you wrote such a useful thread - I really did think I understood this somewhat... now I am worried my question may not even make sense??!?

...but in either case moblock is not a firewall.

Understood.

Of course you're gonna have a hole in your protection, just as any really functional wall acctually has a door (port)...

I understand that you need ports open for any net-facing program to work. What concerns me it that by allowing connections from the local computer to port 80 or 443 on another computer then you actually have an issue with your moblock protection (not in a firewall sense). AFAIK you dont *need* a hole in you moblock protection, unlike with a firewall - you just have to put up with a few blocked sites (which is a bit of a pain).

If you then set your p2p client to port 80 that is still for incoming connections, so in essence your examaple has no effect in reality.

In one of my previous posts I wrote when you have WHITE_TCP_OUT="http https" then if I understand correctly outbound connections on port 80 are possible. I have not been talking about incomming connections at all. I am sorry if I am unable to write with a sufficient degree of clarity, I am doing my best.

Maybe you should read up on iptables, and in particular the different "states" a connection can have.

You are probably correct - it is a good suggestion. As far as I know, with TCP in general, you can have 'open connection' packets with RST header bits to open a connection and ACK header bits in all other TCP packets. Packets can be sent outbound or inbound. So, WHITE_TCP_OUT="80" would allow open connection packets out, and normal packets out and in on the same connection, but would not allow open connection requests from outside. My questions above are directed from this particular understanding so if it is wrong my question could be mis-directed, and if right then vice versa.

I will do some more iptables reading since I am used to routers, kerio and kaspersy...

--QC

[pelle.k]

Oh, don't worry if I don't get what you mean. After all, english isn't my first language...
So, can i take a guess at what you mean is that;
You are worried that traffic from, say a BT download, could sneak through by answering another peer at port 80?

I guess that is unlikely, but not impossible. The rules moblock create are just a default set, and you are encouraged to adjust them to your liking. In fact, moblock states it is a utility for advanced users in the first place.

I guess you could adjust the rules inserted by moblock to whitelist_out port 80, but _not_ if "sport" is in a range used internally by your BT client (or whatever software we speak about...)
See? It's all in the rules inserted by moblock, primarily.

[quixotic-cynic]

Yes, that was what I was going on about ^_^

It sound like it's possible to do more stuff than I thought with the config file so I will mess around with it a bit and see what I can do.

Thanks for the useful reply.

--QC

[pt123]

[removed redundant section]

cat merged.p2b.p2p yourblockfile.txt > merged.p2b.p2p.tmp
mv merged.p2b.p2p.tmp merged.p2b.p2p

Credit to pelle.k for his "What about filtering out some stuff i wan't to connect to?" that gave me the idea.

Thanks I will try this.

[jre]

I guess you could adjust the rules inserted by moblock to whitelist_out port 80, but _not_ if "sport" is in a range used internally by your BT client (or whatever software we speak about...)
See? It's all in the rules inserted by moblock, primarily.

sport? did you mean dport!?

Anyway, if anybody has an practical way of doing this, then please post it! Personally I don't know a way how to use iptables rules on an application basis. The cleanest solution would be to only whitelist TCP out on port 80 for e.g. the webbrowser.
But anyway, I will change the default to no whitelisting. Sorry for all the users who will come here and ask why they can't surf or who will even not use moblock at all.

greets
jre

[sloter]

Hello,

Yes it could be excellent. I am currently reading some interesting netfilter documentation that may help
http://www.netfilter.org/documentati...entation-howto

sloter

[quixotic-cynic]

Reply CCd from here.

Thanks for taking the point seriously jre.

Changing the default may be excessive (perhaps?) since, as you say, some people may just give up etc. It is up to you as to what you choose to do about it.

An alternative could be to make people aware of the issue - and then they could choose whether it is an acceptable 'risk' or not.

If you do choose to change the default (or even if you dont) I will try to lurk around the PG and Ubuntu forum pages to help newbies. I am fairly new to linux (a few weeks) so am looking for somewhere I can contribute. Since I am quite paranoid this may be a good place to start...
___
@sloter: thanks for the link, i'm sure it will be good reading.

[jre]

I put a preview repository at moblock-deb.sourceforge.net/preview/debian

So just get my gpg key (see this post) and add the following lines to your /etc/apt/sources.list:
Debian etch (stable):

Code:

deb http://moblock-deb.sourceforge.net/preview/debian etch main
deb-src http://moblock-deb.sourceforge.net/preview/debian etch main

Debian lenny (testing):

Code:

deb http://moblock-deb.sourceforge.net/preview/debian lenny main
deb-src http://moblock-deb.sourceforge.net/preview/debian lenny main

Debian sid (unstable):

Code:

deb http://moblock-deb.sourceforge.net/preview/debian sid main
deb-src http://moblock-deb.sourceforge.net/preview/debian sid main

Then you can easily install "moblock-nfq" (or "moblock-ipq")

Most important changes to the old debian packages from moblock-deb.sf.net:
moblock-control (see thread at forums.phoenixlabs.org, this implies many changes)
sloter's new man page
sloter's test function
NO port whitelisting (have a look at /etc/moblock/moblock.conf for this)

major TODOs:
Ubuntu packages (at least feisty and gutsy)
documentation updates

With these things done the repository will move to the old position (without the "preview" in the URL).

Feedback (including on which distribution you are) is very welcome!
You can have a look at the actual files at http://moblock-deb.svn.sourceforge.net/. Patches are always appreciated

Greets
jre

[pelle.k]

Anyway, if anybody has an practical way of doing this, then please post it! Personally I don't know a way how to use iptables rules on an application basis. The cleanest solution would be to only whitelist TCP out on port 80 for e.g. the webbrowser.
But anyway, I will change the default to no whitelisting. Sorry for all the users who will come here and ask why they can't surf or who will even not use moblock at all.

I hope you know how much we appreciate you work jre. My exmaple was just an idea, and i have not evaluated if this could be done at all _in reality_, because i have never felt the need to do this.
Either way, the point was only to show that moblock does the filtering; iptables does the traffic redirection

Let me point out that i am by no means an iptables guru.

Oh, and please do tell me when, and if, i need to update the howto to reflect any recent changes that will be more or less permanent from now on.

[jre]

Oh, and please do tell me when, and if, i need to update the howto to reflect any recent changes that will be more or less permanent from now on.

Most things that will be permanent are already in the preview repository.
With the updated documentation I think you can easily change the howto.
Also, with special ubuntu packages the howto whould get much shorter
If you want I can announce the change of the official repository let's say 2 days in advance here and at forums.phoenixlabs.org.

Greets!!
jre