Menu

pgl-FAQ

jre-phoenix

Frequently Asked Questions

I cannot connect to the internet any more!

pgl may block your complete LAN, including your router, gateway and/or DNS server. Normally this traffic is whitelisted automatically as long as you keep the default setting WHITE_LOCAL="1". But if you have problems follow these instructions:

You have to whitelist your LAN. If you don't know your local IP check it with "sudo ip addr". It's the value after "inet" of the interface that you use for networking. For wired connections this might be "eth0", for wireless connections "wlan0".

Example: You found out that your IP is 192.168.0.39. Then your LAN will most probably cover the IP range 192.168.0.1-192.168.0.255. Then you need to whitelist this range for incoming and outgoing connections.

Edit /etc/pgl/pglcmd.conf and add these lines:

WHITE_IP_IN="192.168.0.0/24"
WHITE_IP_OUT="192.168.0.0/24"

Do a

pglcmd restart

when you have changed these settings.

Some applications cannot connect to the internet any more!

There are several possibilities to solve your problems:

  • Use less or other blocklists
  • Whitelist IPs
  • Whitelist ports
  • Advanced whitelisting

For each possibility you can learn how to do it in another question here on the page. But now, which is the best solution for you?

Generally you should first decide on the correct set of blocklists. The default setting is quite paranoid, so you may choose less blocklists.

Now, if you need to allow (whitelist) certain traffic, it depends on the application that has problems: If the application only needs to connect to one or a few servers, with fixed IPs, then you should whitelist IPs. There are also some allow lists (e.g. for some games) e.g. on iblocklist.com.

But if you want to connect to many other computers, where you don't know the IP, or where the IPs may be even changing frequently, then you may do port whitelisting. Keep in mind that malicious hosts may abuse these ports for their own purposes, if you whitelist them. Whitelisting ports is NOT recommended.

pgl closed the port for my torrent client. How do I open it again?

Don't do that! Why did you install pgl? Probably to check your torrent client's traffic. Right!? So you must not open that port. Otherwise you could just uninstall pgl, the effect would be nearly the same.

pgl does not close ports, but it blocks traffic for certain IPs. Very simple explanation: internet traffic is between IPs (your IP and another IP) and it uses ports (like roads, where most applications/services have their own designated road). So on the same port some traffic from good IPs is allowed, and some from bad IPs is blocked. So you could just ignore the "closed port" warning.

What happens on your side is, that your torrent client tells an testhost to try to connect to you. Now, probably this testhost is in the blocklist, so it gets blocked. This does not necessarily imply that this testhost is evil, because pgl has quite a paranoid default blocklist setup.

Solution 1: Only choose these blocklists that you really want to use.

Solution 2: Check the logfile in pglgui while you do the port check in azureus. Some IP should get blocked then. Just allow this IP.

How do I find out which IP or port was blocked?

To learn, what gets blocked I recommend that you use pglgui. There you see live every blocked IP and you can whitelist it directly with a right-click.

Otherwise follow the logfile live

tail -f /var/log/pgl/pgld.log

There you can see which IP gets blocked, on which port, which protocol and in which direction. With this information you can do the whitelisting that is described in other questions here.

How do I choose what blocklists to use?

To find out which blocklist is responsible for a blocked packet, have a look at the range description of the blocked packet in pglgui or in /var/log/pgl/pgld.log. Then issue

pglcmd search DESCRIPTION

This will give you the name of the blocklist.

You can learn more about available blocklists in README.blocklists or on http://iblocklist.com/.

When you have decided which blocklists you want to use you edit /etc/pgl/blocklist.list. Uncomment the blocklists, that is, remove the hash (#) to enable certain blocklists or comment them out by adding a hash before the blocklists to disable them.

Do a

sudo pglcmd reload

when you have changed these settings.

How can I allow (whitelist) traffic on certain ports?

If the IP address that your application is trying to reach is in the blocklist, it will be blocked. But you can allow traffic for specific ports. Keep in mind that malicious hosts may abuse these ports for their own purposes, if you whitelist these ports. Whitelisting ports is NOT recommended.
Many people whitelist the outgoing http (80) and https (443) ports, in order to allow an easier websurfing. To allow traffic on ports edit /etc/pgl/pglcmd.conf and add/edit e.g. this line:

WHITE_TCP_OUT="http https"

Do a

pglcmd restart

when you have changed these settings.

See? In the above example port 80 and 443 (also called http and https) is configured, for outgoing connections. In effect, you can browse blocked IPs, with firefox/konqueror or any other browser. If you have an application, that connects to many different IPs, then this is the place to allow traffic for it. If you want to put a range of ports, use the format "startport:endport".

List of port numbers at wikipedia

Have a look here

Do not add the privacy needing application's port here (for most people this will be torrent and other P2P tools)! It's the point of pgl to check their traffic. Keep the list small, to get a better protection.

How can I allow (whitelist) traffic to certain IPs?

Use pglgui and right-click on the blocked IPs. And you're done.

Or find out what you want to whitelist by checking /var/log/pgl/pgld.log. This can be done in real time (this command will show you the log in real-time).

tail -f /var/log/pgl/pgld.log

There are 3 different ways:

Whitelist an IP range in allow.p2p

This is also the correct place for allow lists!

Edit /etc/pgl/allow.p2p. If you want to whitelist the IP range "192.168.178.1 - 192.168.178.255 and the IP 123.123.123.123 add this:

192.168.178.1-192.168.178.255
123.123.123.123-123.123.123.123

Do a

sudo pglcmd restart

when you have changed these settings.

Whitelist an IP

Edit /etc/pgl/pglcmd.conf. To whitelist IPs add the following variables:

WHITE_IP_IN=""
WHITE_IP_OUT=""
WHITE_IP_FWD=""

Insert e.g. "192.168.178.1" to whitelist a single IP, or e.g. "192.168.178.0/24" to whitelist an IP range (192.168.178.0 - 192.168.178.255) or e.g. "192.168.0.0/16" to whitelist a bigger IP range (192.168.0.0 - 192.168.255.255)

Separate IP addresses with a whitespace. So you might have an entry like this:

WHITE_IP_IN="192.168.0.0/24"
WHITE_IP_OUT="192.168.0.0/24 123.123.123.123 234.234.234.234"

Do a

sudo pglcmd restart

when you have changed these settings.

pglgui uses these variables to permanently allow IPs.

Use a search phrase

You can also use a search phrase, such as Google, Hotmail, or an actual IP address range (as specified in the blocklists). Add the following variable to /etc/pgl/pglcmd.conf:

IP_REMOVE=""

Separate phrases with a semicolon. So you might have an entry like this:
IP_REMOVE="google;yahoo;altavista"

Do a

sudo pglcmd reload

when you have changed these settings.

How can I allow (whitelist) traffic for a combination of IPs, ports, or applications?

This is advanced stuff, and you won't find a complete answer here, sorry!

You can specify your own iptables rules in /etc/pgl/iptables-custom-insert.sh. So you can whitelist any combination of ports, IPs, and (if your kernel supports it) traffic that originates from certain users or applications. Please note that most kernels do not support to whitelist traffic per application. This is a concept from the MS Windows world, and not very widespread in the Linux world.

pgl ships a file iptables-custom-insert.sh that yields some examples.

Some services (avahi, webmin, ftpd, sshd, ...) on my pgl machine aren't available to other machines any more!

If you want to connect only from a few hosts with specific IPs, you can allow all traffic from them by using the WHITE_IP_IN variable or /etc/pgl/allow.p2p.

If there are too many machines, then allow all traffic to the port that the service is listening on for INCOMING connections

Edit /etc/pgl/pglcmd.conf. E.g. for ssh allow all incoming traffic on port 22

WHITE_TCP_IN="22"

Is it possible to specify a network interface where pgl operates on?

You can use the variable INTERFACES. You can set either to "all", or only to specific interfaces, e.g. "eth0 wlan0".

My internet is slow since I installed pgl!

Indeed pgl blocks quite much traffic: That's its purpose, but it can be a pain, too. In default installations outgoing traffic is REJECTED, if it is blocked by pgl. This makes sure that the sending application is notified immediately that its traffic was blocked (in contrast to DROPped packets, where no notification is sent, so that the application waits quite long and then gives up). So verify via

pglcmd show_config

if you have these settings:

REJECT="1"
REJECT_OUT="REJECT"

You also might reduce the number of used blocklists, and allow traffic to certain IPs. Have a look at the previous questions to learn how.

Now, if pgl really sucks up system ressources you may try increasing the default receive/send window. Add this to your system's config (you may use /etc/pgl/insert.sh if you don't know a better file):

sysctl -w net.core.rmem_default=8388608
sysctl -w net.core.wmem_default=8388608

How do I keep it installed, without having it run at startup?

Use pglgui and untick "Start PeerGuardian at system boot".

Or edit /etc/pgl/pglcmd.conf and set the following:

INIT="0"

What happens when I install pgl the first time?

In Debian and compatible systems (Ubuntu) you will be first prompted to configure pglcmd via some so called "debconf" questions. Then it will download some blocklists for you during installation (be patient, this may take a while), and start it as a daemon. Now it will start automatically everytime you boot up and make a daily update of the blocklists - unless you configure pglcmd otherwise.

On other systems you may need to add pgl to your init system first if you want to use the automatic start. TODO: add documentation. On its first start (of the daemon, not just the GUI) pgl will download some blocklists for you (be patient, this may take a while).

I tried to install pgl but I'm stuck on a screen with a pglcmd warning!

Only relevant on Debian and compatible systems (Ubuntu). This is a so called "debconf" question. Read the text and confirm by pressing "OK". If your debconf interface doesn't support your mouse, then you have to use your keyboard: hit the "TAB" key until "OK" is highlighted and then press "RETURN".
You may also do a "sudo dpkg-reconfigure debconf" and select "Gnome" as your interface. Then you can use your mouse for debconf questions.

I have a custom compiled kernel. pgl does not work!

pgld depends on netfilter support in the kernel. There are two possibilities:

Netfilter support as kernel modules (recommended): Enable netfilter support in xconfig, or in the kernel source config file as modules.

Netfilter support built-in directly in the kernel: Enable netfilter support in xconfig, or in the kernel source config file.

pglcmd will then make sure that the netfilter support is available to pgld.

How do I change automatic updating?

pgl automatically updates its blocklists everyday. You can untick this option in pglgui.

Or edit /etc/pgl/pglcmd.conf. The number in the following setting enables (1) or disables (2) automatic updating.

CRON="1"

To disable automatic updating, set the following.

CRON="0"

pgl fails to start or stop!

Have a look at /var/log/pgl/pglcmd.log and /var/log/pgl/pgld.log. In most cases an incorrect configuration option is the reason. If you don't understand the logfiles post them in the support or bug tracker.

I messed thinks up in the configuration!

On Debian and compatible systems (Ubuntu) you can make a clean reinstall:

apt-get purge pgld pglcmd pglgui
apt-get install pgld pglcmd pglgui

Related

Wiki: pgl-Main