 |
 |
|
|||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
 |
|
|
Thread Tools | Display Modes |
03-11-2006, 11:36 AM
|
#1 |
 MoBlock Developer Join Date: Mar 2006 Country:  Posts: 92  |
Introducing MoBlock
Hi i'm the developer of MoBlock, an application that has the same purpose of peerguardian linux. I was contacted by phrosty to make MoBlock become the official peerguardian linux so here i am to explain what i would like to do.
I know there is already a pg client for linux and the normal thing would be to continue developing it, but for me it is easier to just continue developing on code i wrote and i know better. So for now i was thinking about making people know and use it, make suggestions, report bugs, ask for features and then if everyone is happy with how things are going then mark it as official. I'm very happy how MoBlock is working, it's stable (i'm developing/using it for more than a year now), uses few resources and i tried to just add the very needed features to keep it light and simple (thanks to people that suggested new features and sent patches!). So this is my main idea: keep it simple. At present it works with libipq or the new nfnetlink_queue libraries, loads ipfilter.dat or .p2p/.p2b block lists, merges overlapping/duplicated ranges in the loaded list, uses few resorces (about 13MB ram with 100K+ ranges loaded, cpu load very very low), block list can be reloaded while MoBlock is running, logs blocked ranges in realtime to a logfile and statistics to /var/log/MoBlock.log on shutdown and from user request, supports queuing packets from default INPUT/OUPUT iptables chains and NAT table OUTPUT chain. Features already planned for next release: support for queuing from FORWARD chain (thanks to hyakki for suggestions, testing and bug reports!), better handling of logfile for log rotation (thx to lestlest for suggestions and patches!) and support for debian packaging (again thx to lestlest for this, it's all his work). Try it and tell us what you think :) |
|
|
|
03-15-2006, 05:21 PM
|
#3 |
 Senior Member Join Date: Sep 2005 Posts: 2,334 |
Re: Introducing MoBlock
maybe you should make a GUI for those that hate to use the console
btw, I'm interested to know why Phrosty thinks MoBlock is better then the current PeerGuardian Linux.
__________________
     
|
|
|
|
|
03-16-2006, 06:39 AM
|
#4 |
|
MoBlock Developer Join Date: Mar 2006 Country: Posts: 92 |
Re: Introducing MoBlock
I can't speak for Phrosty but i think it's not because MoBlock is better (actually pg linux has more features), but because it is maintained (and it works good of course!)
As i said i am not going to tell people "drop pg linux and use MoBlock", just propose it as an alternative, people will use what they like/fits their needs. |
|
|
|
|
03-16-2006, 06:44 AM
|
#5 | |
|
MoBlock Developer Join Date: Mar 2006 Country: Posts: 92 |
Re: Introducing MoBlock
Quote:
|
|
|
|
|
|
|
03-16-2006, 09:17 PM
|
#6 | |
 Member Join Date: Dec 2005 Posts: 22 |
Re: Introducing MoBlock
Quote:
this thread which happens to be one of the first and only kicked over to the technical support forum. I guess it's pretty technical stuff. But if MoBlock works with it, you've got one more user headed your way.  |
|
|
|
|
|
|
03-17-2006, 10:58 AM
|
#7 |
|
MoBlock Developer Join Date: Mar 2006 Country: Posts: 92 |
Re: Introducing MoBlock
Do you have any log about those pg linux error messages? (Or try it with MoBlock and report here what happens)
There should be no problem using it, because the mark by CONNMARK (or the classid by CLASSIFY) is stored in the packet associated data at kernel level, not the actual packet data where MoBlock and pg linux search for src/dst address. If you provide more info about your setup it should be easy to understand where the problem is. |
|
|
|
|
03-21-2006, 07:30 PM
|
#8 | |
|
Member Join Date: Dec 2005 Posts: 22 |
Re: Introducing MoBlock
Quote:
I agree there should be no problem using it, but peerguardian definitely can't handle layer 7 services being installed, and works a treat without. I'm using IPCop 1.4.10 which is based upon kernel 2.4.31 IPCop is a firewall dist so it doesn't come with any development tools, making it really hard to just test out software without binaries. Layer 7 services for IPCop are also installed from http://www.mhaddons.tk/ the following modules are loaded: Code:
Module Size Used by Not tainted cls_fw 2200 162 (autoclean) sch_prio 2176 56 (autoclean) ipt_CONNMARK 856 2 (autoclean) ipt_tos 440 2 (autoclean) ipt_length 472 4 (autoclean) ipt_TOS 888 13 (autoclean) ipt_ipp2p 6360 1 sch_teql 3292 0 (unused) sch_tbf 2432 0 (unused) sch_red 2272 0 (unused) sch_sfq 3008 222 sch_ingress 1380 0 (unused) sch_htb 18688 2 sch_gred 4544 0 (unused) sch_dsmark 3520 0 (unused) sch_csz 3520 0 (unused) sch_cbq 11456 0 (unused) ip_queue 5008 0 (unused) ipt_MARK 696 320 (autoclean) ipt_MASQUERADE 1272 1 (autoclean) ipt_mark 440 307 (autoclean) ipt_TCPMSS 2168 1 (autoclean) ipt_state 504 15 (autoclean) ipt_REJECT 2968 1 (autoclean) ipt_LOG 3616 9 (autoclean) ipt_limit 792 10 (autoclean) iptable_mangle 2008 1 (autoclean) iptable_filter 1612 1 (autoclean) tulip 38784 1 crc32 2880 0 3c59x 25488 1 ip_nat_quake3 1864 0 (unused) ip_conntrack_quake3 1992 1 ip_nat_proto_gre 1316 0 (unused) ip_nat_pptp 2156 0 (unused) ip_conntrack_pptp 2641 1 ip_conntrack_proto_gre 2069 0 ip_nat_mms 2736 0 (unused) ip_conntrack_mms 2928 1 ip_nat_irc 2032 0 (unused) ip_conntrack_irc 2864 1 ip_nat_h323 2380 0 (unused) ip_conntrack_h323 2161 1 ip_nat_ftp 2512 0 (unused) ip_conntrack_ftp 3664 1 iptable_nat 16142 8 ip_tables 10944 18 ip_conntrack 19628 7  Last edited by /meth/usr : 03-21-2006 at 07:33 PM. |
|
|
|
|
|
|
03-22-2006, 12:20 PM
|
#9 |
|
MoBlock Developer Join Date: Mar 2006 Country: Posts: 92 |
Re: Introducing MoBlock
can you post the firewall rules you use while trying to run pg? If it makes nat post those rules too please.
|
|
|
|
|
03-22-2006, 10:59 PM
|
#10 | |
|
Member Join Date: Dec 2005 Posts: 22 |
Re: Introducing MoBlock
Quote:
Here it is filter, nat & mangle: Code:
/$ iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ipac~o all -- anywhere anywhere
BADTCP all -- anywhere anywhere
tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5
CUSTOMINPUT all -- anywhere anywhere
GUIINPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
DROP all -- anywhere 127.0.0.0/8 state NEW
ACCEPT !icmp -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere
DHCPBLUEINPUT all -- anywhere anywhere
IPSECRED all -- anywhere anywhere
IPSECBLUE all -- anywhere anywhere
WIRELESSINPUT all -- anywhere anywhere state NEW
REDINPUT all -- anywhere anywhere
XTACCESS all -- anywhere anywhere state NEW
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `INPUT '
Chain FORWARD (policy DROP)
target prot opt source destination
ipac~fi all -- anywhere anywhere
ipac~fo all -- anywhere anywhere
BADTCP all -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
CUSTOMFORWARD all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
DROP all -- anywhere 127.0.0.0/8 state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere
WIRELESSFORWARD all -- anywhere anywhere state NEW
REDFORWARD all -- anywhere anywhere
PORTFWACCESS all -- anywhere anywhere state NEW
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `OUTPUT '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ipac~i all -- anywhere anywhere
CUSTOMOUTPUT all -- anywhere anywhere
Chain BADTCP (2 references)
target prot opt source destination
PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
PSCAN tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
NEWNOTSYN tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
Chain CUSTOMFORWARD (1 references)
target prot opt source destination
FAIRNAT_FORWARD all -- anywhere anywhere
Chain CUSTOMINPUT (1 references)
target prot opt source destination
Chain CUSTOMOUTPUT (1 references)
target prot opt source destination
Chain DHCPBLUEINPUT (1 references)
target prot opt source destination
Chain DMZHOLES (0 references)
target prot opt source destination
Chain FAIRNAT_ACK_TOS (0 references)
target prot opt source destination
Chain FAIRNAT_CHK_TOS (0 references)
target prot opt source destination
Chain FAIRNAT_FORWARD (1 references)
target prot opt source destination
Chain FAIRNAT_IPP2PMARK (0 references)
target prot opt source destination
Chain FAIRNAT_POSTROUTING (0 references)
target prot opt source destination
Chain FAIRNAT_PREROUTING (0 references)
target prot opt source destination
Chain GUIINPUT (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
Chain IPSECBLUE (1 references)
target prot opt source destination
Chain IPSECRED (1 references)
target prot opt source destination
Chain LOG_DROP (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning
DROP all -- anywhere anywhere
Chain LOG_REJECT (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain NEWNOTSYN (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `NEW not SYN? '
DROP all -- anywhere anywhere
Chain PEERGUARDFORWARD (0 references)
target prot opt source destination
Chain PORTFWACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.1.10 tcp dpt:5879
ACCEPT tcp -- anywhere 192.168.1.10 tcp dpt:5878
ACCEPT udp -- anywhere 192.168.1.10 udp dpt:5878
Chain PSCAN (5 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `TCP Scan? '
LOG udp -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `UDP Scan? '
LOG icmp -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `ICMP Scan? '
LOG all -f anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `FRAG Scan? '
DROP all -- anywhere anywhere
Chain REDFORWARD (1 references)
target prot opt source destination
Chain REDINPUT (1 references)
target prot opt source destination
Chain WIRELESSFORWARD (1 references)
target prot opt source destination
Chain WIRELESSINPUT (1 references)
target prot opt source destination
Chain XTACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere my.address.goes.here.com tcp dpt:ident
Chain ipac~fi (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
Chain ipac~fo (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
Chain ipac~i (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
Chain ipac~o (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
Code:
/$ iptables -t nat --list Chain PREROUTING (policy ACCEPT) target prot opt source destination CUSTOMPREROUTING all -- anywhere anywhere SQUID all -- anywhere anywhere PORTFW all -- anywhere anywhere Chain POSTROUTING (policy ACCEPT) target prot opt source destination CUSTOMPOSTROUTING all -- anywhere anywhere REDNAT all -- anywhere anywhere SNAT all -- anywhere anywhere MARK match 0x1 to:192.168.1.1 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain CUSTOMPOSTROUTING (1 references) target prot opt source destination FAIRNAT_POSTROUTING all -- anywhere anywhere Chain CUSTOMPREROUTING (1 references) target prot opt source destination FAIRNAT_PREROUTING all -- anywhere anywhere Chain FAIRNAT_ACK_TOS (0 references) target prot opt source destination Chain FAIRNAT_CHK_TOS (0 references) target prot opt source destination Chain FAIRNAT_FORWARD (0 references) target prot opt source destination Chain FAIRNAT_IPP2PMARK (0 references) target prot opt source destination Chain FAIRNAT_POSTROUTING (1 references) target prot opt source destination Chain FAIRNAT_PREROUTING (1 references) target prot opt source destination Chain PORTFW (1 references) target prot opt source destination DNAT tcp -- anywhere my.address.com tcp dpt:5879 to:192.168.1.10:5879 DNAT tcp -- anywhere my.address.com tcp dpt:5878 to:192.168.1.10:5878 DNAT udp -- anywhere my.address.com udp dpt:5878 to:192.168.1.10:5878 Chain REDNAT (1 references) target prot opt source destination MASQUERADE all -- anywhere anywhere Chain SQUID (1 references) target prot opt source destination Code:
/$ iptables -t mangle --list Chain PREROUTING (policy ACCEPT) target prot opt source destination PORTFWMANGLE all -- anywhere anywhere FAIRNAT_PREROUTING all -- anywhere anywhere Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination FAIRNAT_FORWARD all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination FAIRNAT_POSTROUTING all -- anywhere anywhere Chain FAIRNAT_ACK_TOS (1 references) target prot opt source destination RETURN all -- anywhere anywhere TOS match !Normal-Service TOS tcp -- anywhere anywhere length 0:256 TOS set Minimize-Delay TOS tcp -- anywhere anywhere length 256:65535 TOS set Maximize-Throughput RETURN all -- anywhere anywhere Chain FAIRNAT_CHK_TOS (1 references) target prot opt source destination RETURN tcp -- anywhere anywhere length 0:512 RETURN udp -- anywhere anywhere length 0:1024 TOS all -- anywhere anywhere TOS set Maximize-Throughput RETURN all -- anywhere anywhere Chain FAIRNAT_FORWARD (1 references) target prot opt source destination MARK all -- 192.168.1.10 anywhere MARK match 0x0 MARK set 0x64 MARK all -- 192.168.1.10 anywhere MARK match 0x1 MARK set 0x65 MARK all -- anywhere 192.168.1.10 MARK match 0x0 MARK set 0x64 MARK all -- anywhere 192.168.1.10 MARK match 0x1 MARK set 0x65 MARK all -- 192.168.1.11 anywhere MARK match 0x0 MARK set 0x6e MARK all -- 192.168.1.11 anywhere MARK match 0x1 MARK set 0x6f MARK all -- anywhere 192.168.1.11 MARK match 0x0 MARK set 0x6e MARK all -- anywhere 192.168.1.11 MARK match 0x1 MARK set 0x6f MARK all -- 192.168.1.12 anywhere MARK match 0x0 MARK set 0x78 MARK all -- 192.168.1.12 anywhere MARK match 0x1 MARK set 0x79 MARK all -- anywhere 192.168.1.12 MARK match 0x0 MARK set 0x78 MARK all -- anywhere 192.168.1.12 MARK match 0x1 MARK set 0x79 Chain FAIRNAT_IPP2PMARK (2 references) target prot opt source destination CONNMARK all -- anywhere anywhere CONNMARK restore RETURN all -- anywhere anywhere MARK match 0x1 MARK all -- anywhere anywhere ipp2p v0.7.2 --ipp2p --bit --apple --soul MARK set 0x1 CONNMARK all -- anywhere anywhere MARK match 0x1 CONNMARK save Chain FAIRNAT_POSTROUTING (1 references) target prot opt source destination Chain FAIRNAT_PREROUTING (1 references) target prot opt source destination TOS icmp -- anywhere anywhere TOS set Minimize-Delay TOS udp -- anywhere anywhere TOS set Minimize-Delay TOS tcp -- anywhere anywhere tcp spt:telnet TOS set Minimize-Delay TOS tcp -- anywhere anywhere tcp spt:ssh TOS set Minimize-Delay TOS tcp -- anywhere anywhere tcp spt:ftp TOS set Minimize-Delay TOS tcp -- anywhere anywhere tcp spt:ftp-data TOS set Maximize-Throughput TOS tcp -- anywhere anywhere tcp dpt:telnet TOS set Minimize-Delay TOS tcp -- anywhere anywhere tcp dpt:ssh TOS set Minimize-Delay TOS tcp -- anywhere anywhere tcp dpt:ftp TOS set Minimize-Delay TOS tcp -- anywhere anywhere tcp dpt:ftp-data TOS set Maximize-Throughput FAIRNAT_CHK_TOS all -- anywhere anywhere TOS match Minimize-Delay FAIRNAT_ACK_TOS tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/ACK FAIRNAT_IPP2PMARK tcp -- anywhere anywhere FAIRNAT_IPP2PMARK udp -- anywhere anywhere Chain PORTFWMANGLE (1 references) target prot opt source destination MARK tcp -- 192.168.1.0/24 my.address.com tcp dpt:5879 MARK set 0x1 MARK tcp -- 192.168.1.0/24 my.address.com tcp dpt:5878 MARK set 0x1 MARK udp -- 192.168.1.0/24 my.address.com udp dpt:5878 MARK set 0x1 Really, if you want to help out, just try MoBlock with Layer 7 services along with fairnat to see if it's working, if it does, then it's just figuring out how to compile for IPCop. dedicated_firewall+peergaurdian_like_program+fairn at_QoS = nirvana Trying to trace these iptables rules takes forever, and is probably just a waste of time... but then again, you probably understand them better than me  Thanks for your help  Last edited by /meth/usr : 03-22-2006 at 11:25 PM. |
|
|
|
|
|
|
«
Previous Thread
|
Next Thread
»
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| MoBlock with init script and auto update on Fedora | Quadduc | PeerGuardian Linux | 43 | 07-09-2009 10:54 PM |
| MoBlock - Now what....? | cougar | PeerGuardian Linux | 10 | 10-21-2008 01:03 PM |
| moblock 0.8 fails with nfq problem? | zynaps | PeerGuardian Linux | 4 | 10-10-2006 10:24 AM |
| Moblock 0.8 setup/firstrun Suse 10.1 | T100 | PeerGuardian Linux | 5 | 10-07-2006 06:07 AM |
| MoBlock - Is it blocking anything | maestro_black | PeerGuardian Linux | 3 | 06-14-2006 01:19 PM |
All times are GMT -5. The time now is 06:38 AM.
 |
 |
