Results 1 to 10 of 650

Thread: General MoBlock thread

Threaded View

  1. #1
    Join Date
    Jan 2007

    General MoBlock and PeerGuardian Linux thread

    Hi all,

    this is the new general Moblock and PeerGuardian Linux (pgl) thread. pgl is replacing MoBlock/blockcontrol/mobloquer:
    pgld replaced moblock
    pglcmd replaced blockcontrol (previously moblock-control)
    pglgui replaced mobloquer

    PeerGuardian is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge blocklists (thousands or millions of IP ranges). Its origins lie in targeting aggressive IPs while you use P2P.
    Hint for all the people doing support here: This is often the reason for "network problems" - I do my best to make users aware of this fact.

    pglcmd provides easy ways to interact with pgld and does all common related tasks.

    pgl-gui is a GUI on top of pglcmd.

    You can get Debian packages from For Ubuntu use my PPA, for experimental packages use additionally. I'm the maintainer of these sites.

    There's an HOWTO on

    I do my support in this and all other threads that contain the keyword "pgl". You will also find me at the PeerGuardian project's homepage at



    2012-06-25: Please welcome "PeerGuardian Linux 2.2.1"!
    This version adds the last feature only present in mobloquer, but not in
    pglgui: "whois information about blocked IPs".

    Since I also fixed or workarounded all issues with older Debian and
    Ubuntu versions I added transitional packages for the old
    moblock/blockcontrol/mobloquer packages. This means the Debian/Ubuntu
    world now moves to pgl automatically. (Except the 2008 Ubuntu Long Term
    Release Hardy which I think is ok to be left behind forever ;P )

    Goodbye phoenixlabs is no more active. All support and development is now done at, or here

    2011-08-12: PeerGuardian Linux 2.1.0 - The GUI release![/B]
    Today we proudly present to you: pgl 2.1.0, including the long-anticipated pgl-gui. Try it, test it, report back. If you don't tell us otherwise the days of moblock, blockcontrol and mobloquer will soon be over.

    2010-05-18: PeerGuardian Linux 2.0.0 released!
    PeerGuardian Linux is based on nfblock/moblock and blockcontrol. Users of these applications will find many improvements and bug fixes. Unfortunately we have no GUI ready, yet. Developers are very welcome. Just look at the code, make your changes and contact me.
    moblock/blockcontrol/mobloquer packages are still available for those who need a GUI. Remember that these applications aren't developed any more and their packages will only get really important updates. NFBlock was removed from the repository.

    2009-11-12: New project PeerGuardian Linux
    There's a new project: PeerGuardian Linux (pgl), located at the project of the original PeerGuardian. The new project combines and succeeds all projects that had packages here. There's the daemon pgld (based on NFBlock, which was based on MoBlock), pglcmd (based on blockcontrol, previously moblock-control) and pgl-gui (by the author of mobloquer).
    All authors of the old applications and new authors work on this new project. So the old projects are dead now. Contributors and testers are welcome! This is an open project. Check the source in the git repository: git://
    (At least for the beginning) I'll continue to offer Debian packages here (until the first pgl release the old moblock, blockcontrol, nfblock and mobloquer packages), and than later pgl packages. Stay tuned.

    2009-08-21: new gpg key for moblock-deb
    I´ve got a new key (58712F29) for the repository at My old key expired. So if you are using the moblock-deb repository you have to add my new key to the system:
    gpg --keyserver --recv 58712F29
    gpg --export --armor 58712F29 | sudo apt-key add -
    If you are using the launchpad PPA (as most people will do) you do not have to do anything.

    2009-04-23: added jaunty, removed gutsy support
    jaunty is now supported via a ppa at launchpad. See the wiki or for the sources.list entry and the new gpg key.

    2009-03-22: moblock-control renamed to blockcontrol
    • Full support for Moblock and NFBlock.
    • New option "search": Examine your selected blocklists by searching the single blocklists for keywords.
    • All user configuration is now done in /etc/blockcontrol/blockcontrol.conf. Not any more in /etc/default/...

    2009-01-11: Current development status
    MoBlock: The last official release was in 2006, and a new one is still planned. The MoBlock upstream author is still active. The version in the packages is 0.9RC2 from February 2008 and since then I've applied some useful patches that I got.

    moblock-control: I'm still active. Of course help, patches, reports and suggestions are always welcome.

    mobloquer (GUI): The author is currently inactive, due to real life time restrictions. Unfortunately, he has not found a new developer yet. The last stable release 0.5 is packaged at, but I will soon update it to the SVN version and add some own patches.

    NFBlockD (daemon): actively developed. Works together with moblock-control. I intend to package this app, too.

    IPList (daemon and GUI): actively developed, repository is available.

    2009-01-09: moblock-control 1.2 released

    • New handling of blocklists:
      • php redirects are supported now. This allows to use the lists from All lists are downloaded from there per default now.
      • Since moblock-control 1.1 the default blocklists are by "The Blocklist Group" ( instead of Bluetack (
      • The single blocklists are saved in new places now (but still under /var/spool/moblock/.
      • The master blocklist (e.g. guarding.p2p) is now saved in /var/lib/moblock/ instead of /etc/moblock/.
      • Several changes to make sure that the master blocklist exists and reflects the configuration. All changes are always applied on "start" now.
      • The (Debian) installation only requires the blocklists (and therefore network access) to be available, if the automatic start (init) is configured.
    • Per default allow.p2p is not used for forwarded traffic.
    • Dropped support for Ubuntu Feisty, as this is no more supported by Ubuntu since October 19th, 2008.

    Currently there are some issues with the blocklist updates. Thanks lovinglinux, for noticing us!
    Per default you all use the blocklists by bluetack. Now, according to this thread most of the people who were in charge of with these blocklists quit bluetack and started their own project: TBG (The Blocklist Group). So (according to the mentioned thread) the old blocklists from bluetack lack the old level of maintenance.
    Further, perhaps fully unrelated to all this, the download of the bluetack lists currently frequently fails.

    For people not having problems: Do nothing, be happy, don't make unnecessary blocklist downloads.

    For all people having update problems: MoBlock will refuse to start if not all configured blocklists are available. So your problem is the download of the blocklists, but not a problem of your installation. So do NOT purge moblock-control - this will remove all downloaded blocklists, even those that were already downloaded successfully - so purging will make your problems bigger.

    What you can do now:
    Check what blocklists fail to download in /var/log/moblock-control.

    If you want to use that blocklists try a "moblock-control update" or download it manually. Then place the blocklist in /var/spool/moblock/used. (e.g. "sudo cp level1.gz /var/spool/moblock/used")

    If you don't want to use that blocklist just run "sudo dpkg-reconfigure moblock-control" and deselect the blocklist in question. For the other questions that you will be asked - just keep everything as it is. Then do a "moblock-control update".

    If you want to use blocklists by TBG just add them to /etc/moblock/blocklists.list and do a "moblock-control update".

    What I will do: I'll prepare a update which uses the new lists by TBG per default (this will only work on new installs). On updates from the current installations I'll notice the user of the current situation.

    • "moblock-control" is a separate package now. So install "moblock" and "moblock-control" to have the functionality of the old "moblock" package. This will happen automatically on a normal update with your package manager.
    • The custom iptables scripts /etc/moblock/ and /etc/moblock/ now are executed for IPTABLES_SETTINGS="1", too. This happens after moblock-control's iptables commands. Use these scripts e.g. for additional sophisticated whitelisting rules. Some examples are given in these files.
      Thanks, anonymous, for the hints about iptables owner module and IPv6.

    I created this thread so that pelle.[Chuc]k[Norris] can close his thread. pelle started the very successful HOWTO here at ubuntuforums but doesn't find enough time to maintain it any more ... Thanks!

    How to make sure that MoBlock is integrated correctly with any other firewall

    Check your iptables rules with blockcontrol status:
    Current iptables rules (this may take awhile):
    Chain INPUT (policy ACCEPT 147K packets, 185M bytes)
     pkts bytes target     prot opt in     out     source               destination         
       93  9633 blockcontrol_in  all  --  *      *             state NEW mark match !0x14 
        [iptables rules of firewall applications may follow here]
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 blockcontrol_fw  all  --  *      *             state NEW mark match !0x14 
        [iptables rules of firewall applications may follow here]
    Chain OUTPUT (policy ACCEPT 110K packets, 17M bytes)
     pkts bytes target     prot opt in     out     source               destination         
      975 61829 blockcontrol_out  all  --  *      *             state NEW mark match !0x14 
        [iptables rules of firewall applications may follow here]
    Chain blockcontrol_fw (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        [iptables rules for whitelisting forwarded packets are placed here]
        0     0 DROP       all  --  *      *             mark match 0xa 
        0     0 RETURN     all  --  *      *    
        0     0 NFQUEUE    all  --  *      *             NFQUEUE num 92
    Chain blockcontrol_in (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        [iptables rules for whitelisting incoming packets are placed here]
        0     0 DROP       all  --  *      *             mark match 0xa 
       85  8617 RETURN     all  --  *      *           
        6   360 RETURN     all  --  lo     *             
        2   656 NFQUEUE    all  --  *      *             NFQUEUE num 92
    Chain blockcontrol_out (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        [iptables rules for whitelisting outgoing packets are placed here]
       63  2576 REJECT     all  --  *      *             mark match 0xa reject-with icmp-port-unreachable 
      309 24277 RETURN     all  --  *      *      
        6   360 RETURN     all  --  *      lo             
      352 21120 RETURN     tcp  --  *      *             tcp dpt:443 
      177 10620 RETURN     tcp  --  *      *             tcp dpt:80 
       64  2636 NFQUEUE    all  --  *      *             NFQUEUE num 92
    [Other chains are ok]
    Make sure that there are not any iptables rules in the chains INPUT/OUTPUT/FORWARD before the MoBlock rules (there are exceptions possible but I won't discuss them here). If this is not the case then do a blockcontrol restart.

    Traffic that reaches the target NFQUEUE will be checked by MoBlock. MoBlock then MARKs them: Allowed packets (IP is not in the blocklist) get the mark "20" (shown as 0x14 by iptables) and blocked packets (IP is in the blocklist) get the mark "10" (0xa).

    Marked packets repeat the hook function (NF_REPEAT). So they are sent back to
    the head of the iptables chain again and go through the rules again, but this time bearing the mark.

    The targets REJECT and DROP in the moblock_* chains decide what happens to "marked match" packets. So if MoBlock blocks a packet it will be REJECTed if it was outgoing traffic, and DROPped if it was input traffic.

    The lines with target RETURN in the moblock_* chains are optional. They cause that some traffic is not checked by MoBlock (aka allow and whitelisting traffic).
    In the example my LAN ( and the loopback interface were whitelisted automatically. Further I allow outgoing traffic on port 80 (http) and 443 (https).

    If you are missing a rule, do a blockcontrol restart.
    Of course the numbers of packets and bytes do vary.

    2011-08-14: renamed to "General MoBlock and PeerGuardian Linux thread" etc.
    2008-05-22: added information about integration with other firewall applications
    2008-09-26: Updated.
    Last edited by jre; June 25th, 2012 at 02:43 PM.
    Please post your logfiles and output of commands wrapped in code tags:
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts