#44 Allow HTTP?

PeerGuardian_Linux
closed
jre-phoenix
HTTP (1)
5
2013-03-07
2013-02-19
Giorgos
No

Hi! :-)

Is there any "Allow HTTP" option, like PeerBlock?
Current settings are too restrictive and blocking most http access.
On the other hand, I don't really want to mess with blocklists and whitelisting, because except than blocking firefox, they are OK for me.

Thanks!!! :-)

Discussion

  • jre-phoenix
    jre-phoenix
    2013-02-19

    You really should first mess with blocklists ;-P

    Set them up to your personal needs.

    I don't recommend to whitelist ports. Why? If you whitelist/allow a port (e.g. port 80 for http), a malicious host may just listen on this port and thus you will be unprotected. (Yes, although port 80 is reserved for http/websurfing, everybody is free to (mis-)use it for its own purposes).

    Thus having said, the option that you asked for, is
    WHITE_TCP_OUT="80"
    in /etc/pgl/pglcmd.conf. After setting it, you have to do a "pglcmd restart" once.

    Alternatively, use the GUI:
    pglgui
    - Configure
    - Whitelist
    - Add ("+")
    - Type "80" or "http", make sure "Port", "Outgoing" and "TCP" are checked
    - OK
    - Eventually give your root or user password

     
  • jre-phoenix
    jre-phoenix
    2013-02-19

    • status: open --> closed
    • assigned_to: jre-phoenix
    • priority: 8 --> 5
     
  • Giorgos
    Giorgos
    2013-02-20

    MANY THANKS jre-phoenix for your help!!! :-)

    I was thinking to add a feature request, for this task (as peerguardian had at past at windows and ipblock at linux), but you convinced me that is a dangerous option.
    Still usefull though, if you have azureus (or any other client) running at the background and you need just a couple of minutes to open firefox (or any other browser) eg. to check your mails.

    PS1: I added the http port whitelisting -> Apply -> Restart (with the required pwds) and nothing happened.

    I disabled peerguardian and reenabled in order to accept the whitelisting.

    PS2: Having the tbg/search-engines list enabled, was blocking google search and gmail.
    After whitelisting the 80 port, I accessed again both.
    After disabling the 80 whitelisting, I still have access to both two (always with tbg/search-engines enabled.
    Strange!

    THANKS AGAIN!!! :-)
    Giorgos.

     
  • jre-phoenix
    jre-phoenix
    2013-02-26

    ad PS1)
    With pglgui you don't need to restart, just "Apply".

    ad PS2)
    Once a NEW connection is established (during whitelisting), all later RELATED or ESTABLISHED connections will be automatically allowed. Perhaps that's the reason. Not sure though.

    To debug your issues please check the output of "sudo pglcmd status": there is an iptables rule for every whitelisting. Tell me if you need help interpreting these. A change of the whitelist setting triggers an immediate adjustment of the iptables rules. E.g. a removal of the outwards TCP whitelisting for http (port 80) triggers a removal of the following iptables rule in the iptables chain "pgl_out":
    XXX XXX RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

    Please check with this if whitelisting works as supposed.

     
  • Giorgos
    Giorgos
    2013-03-02

    Oh, I didn't noticed it! :-)

    Everything is working OK!
    Indeed, I can see the RETURN tcp dpt:80.
    Every change from the gui, corectly works and properly indicating at status tables.

    I'm not sure what went wrong at first place, but right now everything seems to working properly.
    THANKS!!! :-)

     
  • Giorgos
    Giorgos
    2013-03-06

    Update:
    Well, I don't know!
    Sometimes works (the 80 port whitelisting), sometimes not.
    I have whitelisted all 80 port tcp traffic (incoming, outgoing, forwarding).
    I can see it, at "Whitelist" window and also from root konsole with "pglcmd status".
    Despite that, sometimes firefox can connect, sometimes not (and I have to disable pgl in order to see a webpage).

    And this behavior changes (from permitting or prohibiting the connection to a webpage server), without any intervation from me (and without any changes at status).
    It's just a random phenomenon.
    Also sorry for bothering you again! :-(
    I give up! I just don't know what's happening! :-)
    G.

     
  • jre-phoenix
    jre-phoenix
    2013-03-06

    Nevermind, I hope you choose not to give up.

    I assume there is traffic on another port blocked. Please check pgld.log ("tail -f /var/log/pgl/pgld.log" or in pglgui.) There you see in real time whenever an IP is blocked. And you see on which port it was blocked (e.g. for an outgoing http connectin you would see:
    [YOUR IP] [SOME PORT NUMBER] [DESTINATION IP] [80] [OUTGOING]
    --> you need to whitelist WHITE_TCP_OUT=80 (what you have already done, of course)

    Most probably it might be a secure connection on port 443.

    Incoming and forward connections should not be necessary to be whitelisted.

     
  • Giorgos
    Giorgos
    2013-03-07

    Ooops! I tottaly forgot, whitelisting the secured connections! :-(
    Seems like, this was all about.
    Let me test it for a while and if the problem persists, I'll be back.

    THANKS AGAIN!!! :-)
    G.