[How-To] PeerGuardianLinux(pgl) on Desktop and Server

[amazinghorse]

In this how-to I will show you how install and configure PeerGuardian Linux(pgl)
First, what the heck is PeerGuardian Linux? dry
PeerGuardian Linux (pgl) is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge block lists (thousands or millions of IP ranges).
pgl is based on the Linux kernel netfilter framework and iptables.
Alternative for windows is PeerBlock.

Does this mean my P2P downloading is completely safe with this thing ? dry
Not necessarily. While many people do use IP Filtering software to "protect" themselves from being sued for copyright infringement, it is not 100% protection. In fact some people believe that using blocklists like this are completely useless. Others disagree, and believe that even if it's not 100% safe, it still lets them download files more safely. Sometimes they invoke the "Bear Principle": when running away from bear you don't need to be faster than that bear . . . you only need to be faster than the guy next to you.
This program is good at what it does - keeping your computer from "talking" with ip addresses on your configured blocklists. Everything else is up to those blocklists themselves.

First release of this program has been about 9 years ago, last version has been released 2013-10-31.
Today It's nice and solid app, but only with proper configuration!

So... Lets Start!
For this How-To i used Debian 7.3 and pgl 2.2.3

Desktop Installation with fancy GUI:D (home computer, laptop, e.t.c)


It's very simple for debian-based distributions:
Just follow this:
http://sourceforge.net/p/peerguardian/wiki/pgl-Install-DebianUbuntu/
You can also find packages in your distro repo too, check it.

Otherwise follow this:
http://sourceforge.net/p/peerguardian/code/ci/HEAD/tree/pgl/INSTALL
also see server installation instruction below.

Server Installation with fast and light headless configuration
Don't use desktop oriented builds on servers, because it's waste of RAM and CPU! popo
Let's build nice server pgl!

install checkinstall for package building. (we want keep our system clean )

sudo apt-get install checkinstall

Install pgl dependencies

sudo apt-get install autoconf libtool libnfnetlink-dev libnetfilter-queue-dev zlib1g-dev p7zip unzip

get pgl (check latest version and correct link if needed!)

wget "http://downloads.sourceforge.net/project/peerguardian/PeerGuardian%20Linux/2.2.3/pgl-2.2.3.tar.gz"

UnTar pgl

tar zxvf pgl-2.2.3.tar.gz

Go to pgl directory

cd pgl-2.2.3

Set configure file as executable

chmod a+x configure

Configure our pgl with as light as possible cool

./configure --prefix=/usr --mandir=/usr/share/man --docdir=/usr/share/doc/pgl --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var --with-lsb=/lib/lsb/init-functions  --enable-cron --enable-logrotate --enable-zlib --enable-lowmem --disable-networkmanager --without-qt4 --disable-dbus

Compile

make

Install

sudo make install

Make DEB package , and install it

sudo checkinstall make install

Questions during this process :

The package documentation directory ./doc-pak does not exist.
Should I create a default set of package docs? [y]:

Y

Please write a description for the package.
End your description with an empty line or EOF.

PeerGuardian Linux (pgl) is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge block lists (thousands or millions of IP ranges). pgl is based on the Linux kernel netfilter framework and iptables.
And Hit Enter two times.

In the end of this process you should see something like this:

********************************************************************** 
Done. 
The new package has been installed and saved to /home/test/pgl-2.2.3/pgl_2.2.3-1_i386.deb 
You can remove it from your system anytime using: dpkg -r pgl
**********************************************************************

Congratulations seems you build and install it right! Pirata
 

WARNING! Configure it before run, you may block ALL your connections!

Configuration
Here is configuration files of pgl:
/etc/pgl/blocklists.list - contains a list of URL for retrieving the various block lists.
/etc/pgl/pglcmd.conf - empty by default, overrides the default settings present in /usr/lib/pgl/pglcmd.defaults.
/etc/pgl/allow.p2p - lists custom IP ranges that will not be filtered.

It is recommended to disable the filtering of HTTP connections by adding the following to /etc/pgl/pglcmd.conf:
/etc/pgl/pglcmd.conf

WHITE_TCP_IN="http https"
WHITE_TCP_OUT="http https"

Conversely, one could white list all the ports except the ones used by the program to be blocked.
The following example only use the block lists to stop incoming traffic on ports 53 (DNS) and 80 (HTTP):
/etc/pgl/pglcmd.conf

WHITE_TCP_IN="0:79 81:65535"
WHITE_UDP_IN="0:52 54:65535"

By default, pgl blocks traffic on the local IPv4 addresses. To disable this behavior, edit /etc/pgl/pglcmd.conf to add an exception using the WHITE_IP_* setting:
/etc/pgl/pglcmd.conf

WHITE_IP_IN="192.168.0.0/24"
WHITE_IP_OUT="192.168.0.0/24"

The default lists in /etc/pgl/blocklists.list block many potentially legitimate IP address. Users are encouraged to exercise best judgment and the information available at I-Blocklist.
So here is "optimal try" list:
(Other links are commented)
/etc/pgl/blocklists.list

http://list.iblocklist.com/lists/bluetack/level-1
http://list.iblocklist.com/lists/bluetack/microsoft
http://list.iblocklist.com/lists/tbg/bogon

Description:

Level-1
Companies or organizations who are clearly involved with trying to stop filesharing(e.g. Baytsp, MediaDefender, MediaSentry).
Companies which anti-p2p activity has been seen from.
Companies that produce or have a strong financial interest in copyrighted material(e.g. music, movie and software industries).
Government ranges or companies that have a strong financial interest in doing work for governments.
Legal industry ranges.
IPs addresses or ranges of ISPs from which anti-p2p activity has been observed.
Microsoft
... For what freaking reason I need micro**** connections to my server?
Bogon
...It's just a good tradition from very old times!

After you finish your configuration
(double check all your settings)
Run

sudo pglcmd restart

First Start can take several minutes...

Test
Now let's do some dummy test.

sudo pglcmd test

we need to recive something like this:

pgld marked the IP to be blocked and the IP did not answer.
Test succeeded.

Ok... All seems to be good!

Update Issue Workaround
Run

sudo pglcmd update

If it's failed, check this:
http://community.linuxmint.com/tutorial/view/1438

Startup
On some systems (e.g. Debian and Ubuntu based) it may be required to activate
the init script:

update-rc.d pgl defaults

Or alternatively:

/usr/lib/lsb/install_initd /etc/init.d/pgl

RedHat's system initialization:

chkconfig add pglchkconfig pgl on

systemD Tip:
systemd initialization of the system means that it's quite possible for a server to be briefly unprotected, prior to pgl launch.
To ensure adequate protection, create a service file named after the original server (i.e. /etc/systemd/system/httpd.service) and paste the following:
/etc/systemd/system/httpd.service

.include /usr/lib/systemd/system/httpd.service[Unit]Wants=pgl.serviceAfter=pgl.service

So... I think that's all, hope this will be helpful!
Don't forget to read MANUAL!
gdnight