Page 1 of 2 12 LastLast
Results 1 to 10 of 650

Thread: General MoBlock thread

Hybrid View

  1. #1
    Join Date
    Jan 2007
    Beans
    772

    General MoBlock and PeerGuardian Linux thread

    Hi all,

    this is the new general Moblock and PeerGuardian Linux (pgl) thread. pgl is replacing MoBlock/blockcontrol/mobloquer:
    pgld replaced moblock
    pglcmd replaced blockcontrol (previously moblock-control)
    pglgui replaced mobloquer

    PeerGuardian is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge blocklists (thousands or millions of IP ranges). Its origins lie in targeting aggressive IPs while you use P2P.
    Hint for all the people doing support here: This is often the reason for "network problems" - I do my best to make users aware of this fact.

    pglcmd provides easy ways to interact with pgld and does all common related tasks.

    pgl-gui is a GUI on top of pglcmd.

    You can get Debian packages from http://moblock-deb.sourceforge.net. For Ubuntu use my PPA http://launchpad.net/~jre-phoenix/+archive/ppa, for experimental packages use https://launchpad.net/~jre-phoenix/+...l-experimental additionally. I'm the maintainer of these sites.

    There's an HOWTO on https://help.ubuntu.com/community/MoBlock

    I do my support in this and all other ubuntuforums.org threads that contain the keyword "pgl". You will also find me at the PeerGuardian project's homepage at sourceforge.net.

    jre

    News

    2012-06-25: Please welcome "PeerGuardian Linux 2.2.1"!
    This version adds the last feature only present in mobloquer, but not in
    pglgui: "whois information about blocked IPs".

    Since I also fixed or workarounded all issues with older Debian and
    Ubuntu versions I added transitional packages for the old
    moblock/blockcontrol/mobloquer packages. This means the Debian/Ubuntu
    world now moves to pgl automatically. (Except the 2008 Ubuntu Long Term
    Release Hardy which I think is ok to be left behind forever ;P )

    Goodbye phoenixlabs
    phoenixlabs.org is no more active. All support and development is now done at http://peerguardian.sourceforge.net, or here


    2011-08-12: PeerGuardian Linux 2.1.0 - The GUI release![/B]
    Today we proudly present to you: pgl 2.1.0, including the long-anticipated pgl-gui. Try it, test it, report back. If you don't tell us otherwise the days of moblock, blockcontrol and mobloquer will soon be over.

    2010-05-18: PeerGuardian Linux 2.0.0 released!
    PeerGuardian Linux is based on nfblock/moblock and blockcontrol. Users of these applications will find many improvements and bug fixes. Unfortunately we have no GUI ready, yet. Developers are very welcome. Just look at the code, make your changes and contact me.
    moblock/blockcontrol/mobloquer packages are still available for those who need a GUI. Remember that these applications aren't developed any more and their packages will only get really important updates. NFBlock was removed from the repository.

    2009-11-12: New project PeerGuardian Linux
    There's a new project: PeerGuardian Linux (pgl), located at the project of the original PeerGuardian. The new project combines and succeeds all projects that had packages here. There's the daemon pgld (based on NFBlock, which was based on MoBlock), pglcmd (based on blockcontrol, previously moblock-control) and pgl-gui (by the author of mobloquer).
    All authors of the old applications and new authors work on this new project. So the old projects are dead now. Contributors and testers are welcome! This is an open project. Check the source in the git repository: git://peerguardian.git.sourceforge.net/gitroot/peerguardian/peerguardian
    (At least for the beginning) I'll continue to offer Debian packages here (until the first pgl release the old moblock, blockcontrol, nfblock and mobloquer packages), and than later pgl packages. Stay tuned.

    2009-08-21: new gpg key for moblock-deb
    I´ve got a new key (58712F29) for the repository at moblock-deb.sf.net. My old key expired. So if you are using the moblock-deb repository you have to add my new key to the system:
    Code:
    gpg --keyserver wwwkeys.eu.pgp.net --recv 58712F29
    gpg --export --armor 58712F29 | sudo apt-key add -
    If you are using the launchpad PPA (as most people will do) you do not have to do anything.

    2009-04-23: added jaunty, removed gutsy support
    jaunty is now supported via a ppa at launchpad. See the wiki or moblock-deb.sourceforge.net for the sources.list entry and the new gpg key.


    2009-03-22: moblock-control renamed to blockcontrol
    • Full support for Moblock and NFBlock.
    • New option "search": Examine your selected blocklists by searching the single blocklists for keywords.
    • All user configuration is now done in /etc/blockcontrol/blockcontrol.conf. Not any more in /etc/default/...



    2009-01-11: Current development status
    MoBlock: The last official release was in 2006, and a new one is still planned. The MoBlock upstream author is still active. The version in the packages is 0.9RC2 from February 2008 and since then I've applied some useful patches that I got.

    moblock-control: I'm still active. Of course help, patches, reports and suggestions are always welcome.

    mobloquer (GUI): The author is currently inactive, due to real life time restrictions. Unfortunately, he has not found a new developer yet. The last stable release 0.5 is packaged at moblock-deb.sourceforge.net, but I will soon update it to the SVN version and add some own patches.

    Alternatives:
    NFBlockD (daemon): actively developed. Works together with moblock-control. I intend to package this app, too.

    IPList (daemon and GUI): actively developed, repository is available.

    2009-01-09: moblock-control 1.2 released

    • New handling of blocklists:
      • php redirects are supported now. This allows to use the lists from iblocklist.com. All lists are downloaded from there per default now.
      • Since moblock-control 1.1 the default blocklists are by "The Blocklist Group" (tbg.iblocklist.com) instead of Bluetack (bluetack.co.uk).
      • The single blocklists are saved in new places now (but still under /var/spool/moblock/.
      • The master blocklist (e.g. guarding.p2p) is now saved in /var/lib/moblock/ instead of /etc/moblock/.
      • Several changes to make sure that the master blocklist exists and reflects the configuration. All changes are always applied on "start" now.
      • The (Debian) installation only requires the blocklists (and therefore network access) to be available, if the automatic start (init) is configured.
    • Per default allow.p2p is not used for forwarded traffic.
    • Dropped support for Ubuntu Feisty, as this is no more supported by Ubuntu since October 19th, 2008.


    2008-09-27:
    Currently there are some issues with the blocklist updates. Thanks lovinglinux, for noticing us!
    Per default you all use the blocklists by bluetack. Now, according to this thread most of the people who were in charge of with these blocklists quit bluetack and started their own project: TBG (The Blocklist Group). So (according to the mentioned thread) the old blocklists from bluetack lack the old level of maintenance.
    Further, perhaps fully unrelated to all this, the download of the bluetack lists currently frequently fails.

    For people not having problems: Do nothing, be happy, don't make unnecessary blocklist downloads.

    For all people having update problems: MoBlock will refuse to start if not all configured blocklists are available. So your problem is the download of the blocklists, but not a problem of your installation. So do NOT purge moblock-control - this will remove all downloaded blocklists, even those that were already downloaded successfully - so purging will make your problems bigger.

    What you can do now:
    Check what blocklists fail to download in /var/log/moblock-control.

    If you want to use that blocklists try a "moblock-control update" or download it manually. Then place the blocklist in /var/spool/moblock/used. (e.g. "sudo cp level1.gz /var/spool/moblock/used")

    If you don't want to use that blocklist just run "sudo dpkg-reconfigure moblock-control" and deselect the blocklist in question. For the other questions that you will be asked - just keep everything as it is. Then do a "moblock-control update".

    If you want to use blocklists by TBG just add them to /etc/moblock/blocklists.list and do a "moblock-control update".

    What I will do: I'll prepare a update which uses the new lists by TBG per default (this will only work on new installs). On updates from the current installations I'll notice the user of the current situation.

    2008-09-26:
    • "moblock-control" is a separate package now. So install "moblock" and "moblock-control" to have the functionality of the old "moblock" package. This will happen automatically on a normal update with your package manager.
    • The custom iptables scripts /etc/moblock/iptables-custom-insert.sh and /etc/moblock/iptables-custom-remove.sh now are executed for IPTABLES_SETTINGS="1", too. This happens after moblock-control's iptables commands. Use these scripts e.g. for additional sophisticated whitelisting rules. Some examples are given in these files.
      Thanks, anonymous, for the hints about iptables owner module and IPv6.


    2008-05-22:
    I created this thread so that pelle.[Chuc]k[Norris] can close his thread. pelle started the very successful HOWTO here at ubuntuforums but doesn't find enough time to maintain it any more ... Thanks!



    How to make sure that MoBlock is integrated correctly with any other firewall

    Check your iptables rules with blockcontrol status:
    Code:
    Current iptables rules (this may take awhile):
    
    Chain INPUT (policy ACCEPT 147K packets, 185M bytes)
     pkts bytes target     prot opt in     out     source               destination         
       93  9633 blockcontrol_in  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW mark match !0x14 
        [iptables rules of firewall applications may follow here]
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 blockcontrol_fw  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW mark match !0x14 
        [iptables rules of firewall applications may follow here]
    
    Chain OUTPUT (policy ACCEPT 110K packets, 17M bytes)
     pkts bytes target     prot opt in     out     source               destination         
      975 61829 blockcontrol_out  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW mark match !0x14 
        [iptables rules of firewall applications may follow here]
    
    Chain blockcontrol_fw (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        [iptables rules for whitelisting forwarded packets are placed here]
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0xa 
        0     0 RETURN     all  --  *      *       192.168.178.0/24     192.168.178.0/24    
        0     0 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 92
    
    Chain blockcontrol_in (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        [iptables rules for whitelisting incoming packets are placed here]
    
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0xa 
       85  8617 RETURN     all  --  *      *       192.168.178.0/24     0.0.0.0/0           
        6   360 RETURN     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
        2   656 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 92
    
    Chain blockcontrol_out (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        [iptables rules for whitelisting outgoing packets are placed here]
       63  2576 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0xa reject-with icmp-port-unreachable 
      309 24277 RETURN     all  --  *      *       0.0.0.0/0            192.168.178.0/24    
        6   360 RETURN     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
      352 21120 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
      177 10620 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
       64  2636 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 92
    
    
    [Other chains are ok]
    Make sure that there are not any iptables rules in the chains INPUT/OUTPUT/FORWARD before the MoBlock rules (there are exceptions possible but I won't discuss them here). If this is not the case then do a blockcontrol restart.

    Traffic that reaches the target NFQUEUE will be checked by MoBlock. MoBlock then MARKs them: Allowed packets (IP is not in the blocklist) get the mark "20" (shown as 0x14 by iptables) and blocked packets (IP is in the blocklist) get the mark "10" (0xa).

    Marked packets repeat the hook function (NF_REPEAT). So they are sent back to
    the head of the iptables chain again and go through the rules again, but this time bearing the mark.

    The targets REJECT and DROP in the moblock_* chains decide what happens to "marked match" packets. So if MoBlock blocks a packet it will be REJECTed if it was outgoing traffic, and DROPped if it was input traffic.

    The lines with target RETURN in the moblock_* chains are optional. They cause that some traffic is not checked by MoBlock (aka allow and whitelisting traffic).
    In the example my LAN (192.168.178.0/24) and the loopback interface were whitelisted automatically. Further I allow outgoing traffic on port 80 (http) and 443 (https).

    If you are missing a rule, do a blockcontrol restart.
    Of course the numbers of packets and bytes do vary.

    Edits:
    2011-08-14: renamed to "General MoBlock and PeerGuardian Linux thread" etc.
    2008-05-22: added information about integration with other firewall applications
    2008-09-26: Updated.
    Last edited by jre; June 25th, 2012 at 02:43 PM.
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

  2. #2
    Join Date
    May 2008
    Beans
    1
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: General MoBlock thread

    Hi,
    the first question can only be: which is the (current) correct and most effective way to make Moblock interoperate with Firehol?

    There are several guides (including the old thread), but there is no clear indication if they are updated to last version of Moblock.
    In detail, it would be interesting (to me, at least...) a (definitive) guide to both possible approaches, with IPTABLES_SETTINGS="1" and IPTABLES_SETTINGS="0".

    Thank you.

  3. #3
    Join Date
    Jan 2007
    Beans
    772

    Re: General MoBlock thread

    Quote Originally Posted by meden View Post
    Hi,
    the first question can only be: which is the (current) correct and most effective way to make Moblock interoperate with Firehol?

    There are several guides (including the old thread), but there is no clear indication if they are updated to last version of Moblock.
    In detail, it would be interesting (to me, at least...) a (definitive) guide to both possible approaches, with IPTABLES_SETTINGS="1" and IPTABLES_SETTINGS="0".

    Thank you.
    Just make sure that firestarter is started before MoBlock. Then go with the Moblock 0.9 default settings (i.e. FONT="Courier New"]IPTABLES_SETTINGS="1"[/FONT] and MARKing on). Every firestarter change then requires a moblock-control restart.
    I have just added informations to post #1 how you can verify correct settings.

    If the above doesn't work for you you can go with the other old instructions.

    Finally you may try this (not tested, please give feedback if you do this):
    Keep the MoBlock configuration as it is. In the firehol.conf add as last line moblock-control restart.
    IIRC firehol works that way that commands in its conf are simply executed, so this way you can make sure that MoBlock is restarted after every firehol change (firehol purges all other iptables rules).
    Last edited by jre; May 24th, 2008 at 08:27 AM.
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

  4. #4
    Join Date
    Apr 2007
    Location
    Belgium
    Beans
    1,528

    Re: General MoBlock thread

    Moblock doesn't want to run anymore on startup. I have to start it by entering the command (sudo moblock-control start) after my system has start up even though the configuration file is ok:
    Code:
    ...
    # Turn on/off automatic start
    # 0 - Don´t start MoBlock at system boot
    # 1 - Start MoBlock at system boot
    MOBLOCK_INIT="1"
    ...
    I do remember it worked for some time. Any ideas on how to solve it?
    Disclaimer: I am currently suffering from severe CSD (Compulsive Sarcasm Disorder).
    My Site | Linux User #452328 | Running Arch Linux on Sony Vaio VGN-SZ61XN/C since October 2008

  5. #5
    Join Date
    Jan 2007
    Beans
    772

    Re: General MoBlock thread

    Quote Originally Posted by Nepherte View Post
    Moblock doesn't want to run anymore on startup. I have to start it by entering the command (sudo moblock-control start) after my system has start up even though the configuration file is ok:
    Code:
    ...
    # Turn on/off automatic start
    # 0 - Don´t start MoBlock at system boot
    # 1 - Start MoBlock at system bootl.log
    MOBLOCK_INIT="1"
    ...
    Make sure /etc/default/moblock is not configured otherwise (e.g. mobloquer does save its configuration there).

    If this doesn't help: What's the output on system boot? What's in /var/log/moblock-control.log?
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

  6. #6
    Join Date
    Feb 2007
    Beans
    62

    Re: General MoBlock thread

    so moblock is now working with with firestarter? Sorry to make you repeat yourself...I haven't payed any of this any thought in a while, but I used the old thread a long time ago now and from what I had gathered, before I gave up and made do, was that no one got them working together, so I'm just making sure that I am understanding you correctly that as long as I restart moblock every time I change something in firestarter that they will play nicely? If so..god bless you, that's one less headache I need to deal with!!

  7. #7
    Join Date
    Jan 2007
    Beans
    772

    Re: General MoBlock thread

    Quote Originally Posted by chronniff View Post
    so moblock is now working with with firestarter? [...] as long as I restart moblock every time I change something in firestarter that they will play nicely?
    Yes. further conditions of course: moblock version 0.9~rc2 with marking on. These conditions are fulfilled when you install the current moblock (not moblock-nfq or moblock-ipq) package from moblock-deb.sf.net
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

  8. #8
    Join Date
    Apr 2007
    Location
    Belgium
    Beans
    1,528

    Re: General MoBlock thread

    Quote Originally Posted by "jre
    Make sure /etc/default/moblock is not configured otherwise (e.g. mobloquer does save its configuration there).
    /etc/default/moblock is all empty except for some comment blocks.

    This is the output of /var/log/moblock-control.log for the last two days:
    Code:
    2008-05-24 13:07:04 CEST Begin: /usr/bin/moblock-control start
    Inserting iptables   ...done.
    Starting MoBlock   ...done.
    2008-05-24 13:07:04 CEST End: /usr/bin/moblock-control start
    2008-05-24 15:32:22 CEST Begin: /usr/bin/moblock-control start
    Inserting iptables   ...done.
    Starting MoBlock   ...done.
    2008-05-24 15:32:22 CEST End: /usr/bin/moblock-control start
    2008-05-25 11:07:09 CEST Begin: moblock-control start
    Inserting iptables^M^[[74G[ OK ]
    Starting MoBlock^M^[[74G[ OK ]
    2008-05-25 11:07:09 CEST End: moblock-control start
    2008-05-25 11:08:01 CEST Begin: moblock-control stop
    Deleting iptables * .
    Stopping MoBlock^M^[[74G[ OK ]
    2008-05-25 11:08:01 CEST End: moblock-control stop
    Disclaimer: I am currently suffering from severe CSD (Compulsive Sarcasm Disorder).
    My Site | Linux User #452328 | Running Arch Linux on Sony Vaio VGN-SZ61XN/C since October 2008

  9. #9
    Join Date
    Jun 2006
    Beans
    65

    Re: General MoBlock thread

    Quote Originally Posted by jre View Post
    Just make sure that firestarter is started before MoBlock. Then go with the Moblock 0.9 default settings (i.e. FONT="Courier New"]IPTABLES_SETTINGS="1"[/FONT] and MARKing on). Every firestarter change then requires a moblock-control restart.
    I have just added informations to post #1 how you can verify correct settings.

    If the above doesn't work for you you can go with the other old instructions.

    Finally you may try this (not tested, please give feedback if you do this):
    Keep the MoBlock configuration as it is. In the firehol.conf add as last line moblock-control restart.
    IIRC firehol works that way that commands in its conf are simply executed, so this way you can make sure that MoBlock is restarted after every firehol change (firehol purges all other iptables rules).
    Is there a default firehol example file ? I have the old default settings like
    Code:
    iptables --new moblock 
    iptables -A moblock -j NFQUEUE
    and i moblock
    Code:
    IPTABLES_SETTINGS="0"
    IPTABLES_ACTIVATION="0"
    but I saw that now recommend iptables_settings=1. I tried both but when i do the moblock-control test all I get are fails. Also tail -f /var/log/moblock/moblock.log doesn't give the ips address it's blocking. How can i check if moblock-control is up and running
    Last edited by ranpha; March 22nd, 2009 at 11:09 AM.

  10. #10
    Join Date
    Jan 2007
    Beans
    772

    Re: General MoBlock thread

    The easiest way should be to keep the default settings, but make sure to start MoBlock after Firehol (and restart it if firehol changed anything).

    See also "How to make sure that MoBlock is integrated correctly with any other firewall" in post #1 in this thread.
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •