Page 103 of 120 FirstFirst ... 35393101102103104105113 ... LastLast
Results 1,021 to 1,030 of 1196

Thread: Moblock (peerguardian linux alternative)

  1. #1021
    Join Date
    May 2006
    Location
    Wisconsin
    Beans
    386
    Distro
    Ubuntu 8.10 Intrepid Ibex

    Re: Moblock (peerguardian linux alternative)

    I just wanted to clarify how i whitelisted my LAN because i did it incorectly at first. Here is the way i got it to work.
    Code:
    WHITE_IP_OUT="192.168.1.0/24"
    the "0" at the end of the ip being the key to my success. I acts as an all inclusive range for my LAN.

    I then for the http ports did
    Code:
    WHITE_TCP_OUT="http https"
    This gave me my web browsing capabilities but it leaves me insecure on ports 80 (http) & 443 (https) so when i use a p2p client such as azureus i tell it to ignore peers with those port numbers. moblock will take care of the rest.

    if ignorance is bliss, where are all the happy people
    Jeremy

  2. #1022
    Join Date
    Jun 2005
    Beans
    6

    Re: Moblock (peerguardian linux alternative)

    How am I supposed to "properly" whitelist the stuff needed to let pidgin connect to MSN?

    I know I can either whitelist the port or the IP(range) but cant I do a combination? Whitelisting the port seems kinda dumb because that would leave the port open for all IPs. And I dont necessarily want to whitelist all the microsoft IP-ranges and all ports either.

    And I'm having some problems whitelisting IP-ranges, since I dont understand what the mask thing is...

    So what exactly should I put to WHITE_IP_OUT= if I want to allow connections to the ip ranges 207.46.*.* and 64.4.*.*? MSN uses those IPs atleast and maybe some more... I cant find a complete list anywhere. I tried putting WHITE_IP_OUT="207.46.0.0/24" etc. but it still seems to block them. WHITE_IP_OUT="207.46.29.0/24" and such seem to work by allowing the range 207.46.29.* but how can I allow a larger range?

  3. #1023
    Join Date
    Jan 2007
    Beans
    772

    Re: Moblock (peerguardian linux alternative)

    Quote Originally Posted by Scorper View Post
    I know I can either whitelist the port or the IP(range) but cant I do a combination?
    You have to use the custom iptables rules to do that. There's no short way for this, sorry.

    Quote Originally Posted by Scorper View Post
    And I'm having some problems whitelisting IP-ranges, since I dont understand what the mask thing is...
    From `man iptables`:
    "The mask can be either a network mask or a plain number, specifying the number of 1’s at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0."
    16 is equivalent to 255.255.0.0 and
    8 is equivalent to 255.0.0.0
    This mask is [err, I can't really explain it] subtracted from the IP.
    So you want:
    Code:
    WHITE_IP_OUT="207.46.0.0/16"
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

  4. #1024
    Join Date
    Nov 2006
    Location
    San Diego
    Beans
    40
    Distro
    Kubuntu 10.04 Lucid Lynx

    Re: Moblock (peerguardian linux alternative)

    I just got web browsing to work by replacing the /24 I had with a /16.
    Registered Linux User #437304

  5. #1025
    Join Date
    Jan 2007
    Beans
    772

    MoBlock 0.9 preview

    I've started to package MoBlock 0.9 (Release Candidate 1). So here it is moblock (0.9~rc1-1), use it only if you really want to test it. I've renamed the nfq package and skipped the ipq version.
    This version now allows to MARK packets instead of DROPping or ACCEPTing them.
    I've also added a /etc/moblock/moblock.default configuration file to make future updates easier.
    Warning: This version also logs accepted packages, so your logfile will grow faster than usual.

    Please have a look at the Debian package changelog (http://moblock-deb.svn.sourceforge.n...og?view=markup) to get a complete list of the changes.

    jre
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

  6. #1026
    Join Date
    May 2006
    Location
    Wisconsin
    Beans
    386
    Distro
    Ubuntu 8.10 Intrepid Ibex

    Re: MoBlock 0.9 preview

    forgive me for asking a simple question but, .. could you explain what it means to mark vs drop or accept?
    if ignorance is bliss, where are all the happy people
    Jeremy

  7. #1027
    Join Date
    Jan 2007
    Beans
    772

    Re: MoBlock 0.9 preview

    Quote Originally Posted by empthollow View Post
    forgive me for asking a simple question but, .. could you explain what it means to mark vs drop or accept?
    It's the possibility to make many errors
    With moblock 0.8 matched packets (ip in blocklist) were either ACCEPTED or DROPped. So as soon as they were checked by MoBlock they were no more checked by further iptables rules. This means you could not use MoBlock together with other firewalls (except firehol).
    Now, you have the option to let MoBlock simply MARK the packets. They will then continue their voyage through later iptables rules, where you can put rules which only apply to the marked packets next to other firewall rules.
    The combination of MoBlock with other firewalls is therefore possible now, but we first need some testers
    Further (already done in the packet) OUTPUT matched packets can be rejected instead of being DROPped. So if YOU want to access an IP that is blocked by MoBlock your applications get notified immediately instead of having to wait until they timeout (I really like that.)

    Have fun with testing. But remember not to use this blindly.
    jre
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

  8. #1028
    Join Date
    May 2006
    Location
    Wisconsin
    Beans
    386
    Distro
    Ubuntu 8.10 Intrepid Ibex

    Re: MoBlock 0.9 preview

    from this i gather that the packets marked by moblock are ok unless otherwise determined by further firewall rules. is that correct? i don't use a sofware firewall so this has never been an issue for me (i use my router) except when i go on a trip. I then use firestarter which i think is just a front end to iptables. i'd be happy to do some testing but i'll need a little instruction on how to see if it's working. i would use moblock and firestarter. my router would of course still have a firewall and i need that running for all of my other computers. Let me know if i can be of any help to you. i would need to know what command to run to know if the proper ip's are being blocked though.
    if ignorance is bliss, where are all the happy people
    Jeremy

  9. #1029
    Join Date
    Mar 2006
    Beans
    23

    Lightbulb Re: Moblock (peerguardian linux alternative)

    Quote Originally Posted by fj4 View Post
    I'm having a different issue. Ever since upgrading to 0.8-36+gutsy I get this nasty error:
    Code:
    frank@ForGreatJustice:~$ *** stack smashing detected ***: /usr/bin/moblock terminated
    Any ideas? Thanks in advance.
    I had this same error. The problem for me was that I changed my .dat.gz list to plain .gz lists without changing BLOCKLIST_FORMAT="d" to BLOCKLIST_FORMAT="p" in /etc/moblock/moblock.conf . Try changing that value and let us know if it resolves your problem. Also remember that you can't use both .dat.gz and .gz at the same time.

    Alex Eagar

  10. #1030
    Join Date
    Jan 2007
    Beans
    772

    Re: MoBlock 0.9 preview

    Quote Originally Posted by empthollow View Post
    from this i gather that the packets marked by moblock are ok unless otherwise determined by further firewall rules. is that correct?
    Yes
    Quote Originally Posted by empthollow View Post
    i don't use a sofware firewall so this has never been an issue for me (i use my router) except when i go on a trip. I then use firestarter which i think is just a front end to iptables.
    For me a software firewall and a frontend for iptables is the same.
    Quote Originally Posted by empthollow View Post
    i'd be happy to do some testing but i'll need a little instruction on how to see if it's working. i would use moblock and firestarter. my router would of course still have a firewall and i need that running for all of my other computers. Let me know if i can be of any help to you. i would need to know what command to run to know if the proper ip's are being blocked though.
    Ok, install moblock 0.9~rc1-4 (just releasing while I type this).

    First, make sure that moblock is started AFTER firestarter (/etc/rc2.d/SNNname: the NN of moblock has to be higher than that of firestarter [does Ubuntu still work this way!?])

    Then check and post your iptables rules ("moblock-control status").

    Do a "moblock-control test" and "tail -f /var/log/moblock.log". Note the "Marked block" entries in the logfile. Now make a "traceroute" for such an IP: the packet must not pass the first hop (otherwise it has left your machine).

    So, this way you can make sure that the "Marked block" IP from the test really didn't leave your machine. But I can't tell you if this was MoBlock's achievement or firestarter's.
    Anyway, I'd take this as "moblock is working" if the rest of the iptables rules make sense.

    Now you have to check firestarter: Since you have a LAN with other machines, you can go to another machine and try to access your moblock machine with some ways you would want not to be able (access it on blocked ports).

    Try it with two ways: First add a line to "/etc/moblock/ipfilter.dat" like
    Code:
    192.168.178.0 - 192.168.178.255 , 000 , Lan,
    with the IP range of your LAN (With I get ifconfig "inet addr:192.168.178.124", therefore this example entry). Do a "moblock-control reload" and test.

    Then whitelist your LAN:
    Code:
    WHITE_IP_IN="192.168.178.0/24"
    Do a "moblock-control restart" and make the same tests again.

    In both cases you should not be able to access your MoBlock machine. First time because of MoBlock and firestarter, second time only because of firestarter. A real port scanning would of course be a better test.

    greets
    jre
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

Page 103 of 120 FirstFirst ... 35393101102103104105113 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •