[Feature Request] Peergaurdian CLI $$

Help on building IPFire & Feature Requests
apoptosis
Posts: 5
Joined: March 2nd, 2014, 11:44 am

[Feature Request] Peergaurdian CLI $$

Post by apoptosis » March 2nd, 2014, 12:58 pm

So I just made a big mistake.  I thought ipfire supported blocklists like Peergaurdian, Peerblook, Moblock, pfBlock, IPList.  However, I miss read Guardian's url blocklists to be this feature.  I ended up buying hardware, and installing ipfire only to find out I was wrong.

Then I was like okay, I will just run Peergaurdian CLI like on arch linux:

https://wiki.archlinux.org/index.php/PeerGuardian_Linux

Only to discover that ipfire does use rpm or deb packaging and instead uses pakfire.

Ok, so I will download and build myself so I downloaded the source at sourceforge:

http://sourceforge.net/projects/peergua ... n%20Linux/

I want a command line only "slick" installation with

./configure --without-qt4 --disable-dbus

Only to discover ipfire doesn't come with gcc, and you must build ipfire from scratch if you want to add a package like this.

At this I don't have a linux system handy to do the ipfire build and make my own pakfire package, nor the knowhow to do a good pakfire package.

I am willing to pay a bounty over paypal for any one to make a pgl-cli-2.2.4.pakfire package and make it available to everyone...

$20 - For just command line integration.  The ipfire web console doesn't need a interface.

$50 - For a full blown web interface where you can set up and schedule downloads of blocklists.

pfSense has pfBlock, however I am already invested in ipfire and like linux better than BSD.  ipfire really needs this feature and I am willing to contribute this money to get it done.

burningpenguin
Posts: 173
Joined: December 5th, 2012, 7:37 pm

Re: [Feature Request] Peergaurdian CLI $$

Post by burningpenguin » March 2nd, 2014, 2:55 pm

Well an easy way if you are worried about HTTP-based blocking is to write a script downloading and translating the files to be used in URLFilter. Downloading would be based on wget and a fcron job. The translation of the files to plain IP/URL should also not be rocket science as long as you do not need the classification which is inside the files. If the files are stored in a dedicated folder on ipfire these would also be "selectable" via the urlfilter webui.

But anyway I guess you want to not only block URLs but IPs for all sort of traffic.

I am not sure whether the new Firewall of ipfire 2.15 would help you.
http://forum.ipfire.org/http://forum.ipfire.org//viewtopic.php?t=9

cheers

apoptosis
Posts: 5
Joined: March 2nd, 2014, 11:44 am

Re: [Feature Request] Peergaurdian CLI $$

Post by apoptosis » March 2nd, 2014, 4:05 pm

I am not worried about http-blocking at all.  I am worried about blocking major portions of the internet from all protocols, based on dynamic blocklists that I do not have to maintain, because they are maintained by others already.

AKA I want to subscribe to ip block lists.  ipfire can already subscribe to web proxy block lists via squid with guardian, but this is not what I need.
Last edited by apoptosis on March 2nd, 2014, 4:07 pm, edited 1 time in total.

burningpenguin
Posts: 173
Joined: December 5th, 2012, 7:37 pm

Re: [Feature Request] Peergaurdian CLI $$

Post by burningpenguin » March 2nd, 2014, 9:56 pm

Hi
I guess the solution is this here
http://wiki.ipfire.org/en/configuration/firewall/firewall.local

Try this
.... currently manually - no scripting yet

1) Create a local file with various IPs to be blocked for out/in traffic e.g. /etc/sysconfig/blacklistmalcode
with data from http://malc0de.com/bl/IP_Blacklist.txt

Code: Select all

wget -O - http://malc0de.com/bl/IP_Blacklist.txt > /etc/sysconfig/blacklistmalc0de


2) Remove all non-IPs

Code: Select all

egrep -v '(^[[:space:]]*/|^[[:space:]]*$)' /etc/sysconfig/blacklistmalc0de > /etc/sysconfig/blacklistmalc0de


3) change the config

Code: Select all

 nano /etc/sysconfig/firewall.local


4) in my case it looks like

Code: Select all

#!/bin/sh
# Used for private firewall rules

BLACKLIST="/etc/sysconfig/blacklistmalc0de"

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
        #iptables -A CUSTOMINPUT -s 222.186.30.110 -j DROP
        for BLACKLIST in `cat $BLACKLIST`; do
         iptables -A CUSTOMINPUT -s $BLACKLIST -j DROP
         #echo "dropping $BLACKLIST ..."
        done
        ;;
  stop)
        ## add your 'stop' rules here
        #iptables -D CUSTOMINPUT -s 222.186.30.110 -j DROP
        for BLACKLIST in `cat $BLACKLIST`; do
         iptables -D CUSTOMINPUT -s $BLACKLIST -j DROP
         #echo "dropping $BLACKLIST ..."
        done
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac


5) Reload the firewall

Code: Select all

/etc/init.d/firewall reload



This should work - on my box it takes quite some time to reload the firewall - so there might be still something wrong here  :-\

Let me know

cheers
Last edited by burningpenguin on March 2nd, 2014, 10:12 pm, edited 1 time in total.

apoptosis
Posts: 5
Joined: March 2nd, 2014, 11:44 am

Re: [Feature Request] Peergaurdian CLI $$

Post by apoptosis » March 2nd, 2014, 10:54 pm

I appreciate the effort for a work around but this is not what I am looking for.

1) I need something that uses the format from this site;

https://www.iblocklist.com/lists.php

you can read about the format here:

http://en.wikipedia.org/wiki/PeerGuardian

The reason for this is the community around this.

2) Its more complicated thank you think.  There are block lists, then there are allow lists.  So you block huge ranges, but then allow say a steam or blizzard list.

3) I have a neworking friend who tried to make iptables do what you are.  He rean into the same problem.  iptables is not built for millions of rules, and is slow.  I don't know the details but I think peerguardian is a different bread of firewall.

4) I am fine with running both firewalls, all I really need is to run peer guardian command line on my ipfire machine.  It can run along sided iptables.

BeBiMa
Posts: 2842
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: [Feature Request] Peergaurdian CLI $$

Post by BeBiMa » March 3rd, 2014, 1:06 pm

First: Peerguardian also uses iptables!
Second: I do not understand yet, why you want to use Peerguardian opposed to Snort/Guardian. What is the difference.
Third: What about the critic
wikipedia wrote:Other criticism Besides the original criticism of Version 1 being slow and buggy, most other criticism of PeerGuardian is around the actual technique used to block peers. Critics have pointed out that the blocklists are open to the public, and thus parties who may wish to circumvent PeerGuardian can actively check the list to see if their IP addresses have been blocked.
The blocklists are also managed by the public, but there is no fool-proof method on checking or reporting why an IP address or range are bad, nor on checking if the blocked IP addresses still remain bad. The list relies on the public to make submissions, and thus is vulnerable to attack itself (see above section on blocklist management issues).
Vista 64 bit and Windows 7 64 bit are listed for application compatibility, but require a work around involving disabling driver signing that may require some degree of computer skill.
Image
Unitymedia Cable Internet ( 32MBit )

apoptosis
Posts: 5
Joined: March 2nd, 2014, 11:44 am

Re: [Feature Request] Peergaurdian CLI $$

Post by apoptosis » March 3rd, 2014, 2:01 pm

It appears your right about it using iptables:

http://sourceforge.net/p/peerguardian/w ... Technical/

However, I have also see people talk about different iplists that are binary trees:

http://www.maeyanie.com/2008/12/efficie ... blocklist/

Maybe iptables will work...

Snort is IDS so it only logs potential threats, Gaurdian turns it into IPS where it will block ips for a while that where snort rules match.  Snort is packet inspection.

What I want is to block by ipaddress based on these lists people make.  These lists are hacks, they are like "Block all of china".  "Block all universities".  "Block this list of know P2P police".  These lists change all the time and are quite large.  Which make automation really the only route.

Your last thing, which just points out a potential flaw.  Doesn't mean its not a worth while thing to do.  Security is always a fuzzy process.  There is not secure and not secure, but degrees of security.

Not to mention if it wasn't a valid thing to do why would so many people be doing it, and why would pfSense be able to do it.  I am not saying this should be on by default, I just want the option to install it.

burningpenguin
Posts: 173
Joined: December 5th, 2012, 7:37 pm

Re: [Feature Request] Peergaurdian CLI $$

Post by burningpenguin » March 3rd, 2014, 3:35 pm

Anyway - I guess the suggested way of amending iptables works - at least for me. I can add to the blacklist all sorts of ips via some bash commands and even automated with fcron.
The more important questions is, which direction to block these malicous IPs and what is the correct syntax.

1) What I suggested is for CUSTOMINPUT only but should the rules not be duplicated for CUSTOMOUTPUT. Is there anybody who could please give some advice here? The wiki does not have too much info about this.

2) Also is there a best practice of the amount of ips in iptables - at the moment my bash script adds about 7000 ips to be blocked. Reloading the firewall takes quite some time on my Core2Duo E6550

cheers

BeBiMa
Posts: 2842
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: [Feature Request] Peergaurdian CLI $$

Post by BeBiMa » March 3rd, 2014, 3:48 pm

Sorry, but I didn't understand your intention.

Do you want to block access from outside for certain IP groups. This is done by the "normal" firewall in IPFire already. Being a stateful packet inspection firewall, only packets belonging to connections initiated from inside are allowed to pass. This includes most "IPs from china" etc.
To supplement this, there's the possibiltiy to block the establishment of connections by firewall rules and the Squid redirector URLFilter.
I bet, most of the unwanted traffic can be suppressed by this means.

Remain the cases where malware establishes connections to unwanted targets. Partly you can minimize this by antivirus scanners ( clamav in IPFire ). But the problem with such sort of software are not mainly the accesses to the network, but the access to the clients. Therefore you need a security  strategy for the inside either, which solves this mostly.
Image
Unitymedia Cable Internet ( 32MBit )

BeBiMa
Posts: 2842
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: [Feature Request] Peergaurdian CLI $$

Post by BeBiMa » March 3rd, 2014, 4:02 pm

A more basic topic.

You cannot block requests to your network really. The source of the request isn't controlled by you.
Therefore despite of all firewall/IPS systems the requests from unwanted sites reach your WAN side.
All attempts to suppress these accesses can't achieve more than the SPI method, but consume much more ressources on your system.
Image
Unitymedia Cable Internet ( 32MBit )

burningpenguin
Posts: 173
Joined: December 5th, 2012, 7:37 pm

Re: [Feature Request] Peergaurdian CLI $$

Post by burningpenguin » March 3rd, 2014, 4:07 pm

Fair enough - so the remaining challenge is if one PC in the LAN is hijacked or infecting and connecting to a botnet or whatsoever server.
Of course there is CLAMAV in ipfire working (but not IDS/snort) and as well as an Antivirus software on each LAN client nevertheless to be on the safe side I would like to block LAN outgoing traffic to the internet.
Applying the config above I can at least not access these IPs and in the webui the packets are counted correctly as CUSTOMINPUT drop'ed

BeBiMa
Posts: 2842
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: [Feature Request] Peergaurdian CLI $$

Post by BeBiMa » March 3rd, 2014, 4:37 pm

burningpenguin wrote:Fair enough - so the remaining challenge is if one PC in the LAN is hijacked or infecting and connecting to a botnet or whatsoever server.
Of course there is CLAMAV in ipfire working (but not IDS/snort) and as well as an Antivirus software on each LAN client nevertheless to be on the safe side I would like to block LAN outgoing traffic to the internet.
Applying the config above I can at least not access these IPs and in the webui the packets are counted correctly as CUSTOMINPUT drop'ed


Your solution uses the possiblities of iptables for a "outgoing/forward blacklist firewall" very well.
If the syntax of these blacklists is known, you just can do that.

But with big files there is a timing problem ( you observed that ). Each rule definition calls iptables, that restarts with the new rule set. For a greater number of changes the iptables-save/iptables-restore mechanism with changing by a Perl script using the IPTables module would be more convenient.
Image
Unitymedia Cable Internet ( 32MBit )

apoptosis
Posts: 5
Joined: March 2nd, 2014, 11:44 am

Re: [Feature Request] Peergaurdian CLI $$

Post by apoptosis » March 3rd, 2014, 6:50 pm

So I get that this could be done with existing iptables and some scripts for scheduling downloads, parsing, and updating iptables.

I also appreciate you guys looking into this.

However, I don't understand going though all that trouble when there is already popular supported linux program that does it.  Wouldn't it be much easier to just build the pgl package?

This is why I was offering such a low bounty, I thought this was just a build a package problem that could be solved by someone who was setup with a ipfire build in a few hours.

Not sure what the objection is to offering additional packages...

burningpenguin
Posts: 173
Joined: December 5th, 2012, 7:37 pm

Re: [Feature Request] Peergaurdian CLI $$

Post by burningpenguin » March 3rd, 2014, 9:11 pm

Hi
attached is a script you might try - just run the via bash after unpacked.

Code: Select all

scriptblacklistip.sh


The script gets the IP blacklists from
www.malc0de.com
www.openbl.org  - the 90 days blocklist
zeustracker.abuse.ch

So this is just a PoC - proof of concept.
- download the files
- remove comments, #, /, etc
- sort | uniq
- add to tmp file
- reload filewall

Preconditions as the manual example above

Code: Select all

 nano /etc/sysconfig/firewall.local


Change to

Code: Select all

#!/bin/sh
# Used for private firewall rules

BLACKLIST="/etc/sysconfig/blacklist"

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
        #iptables -A CUSTOMINPUT -s 222.186.30.110 -j DROP
        for BLACKLIST in `cat $BLACKLIST`; do
         iptables -A CUSTOMINPUT -s $BLACKLIST -j DROP
         #echo "dropping $BLACKLIST ..."
        done
        ;;
  stop)
        ## add your 'stop' rules here
        #iptables -D CUSTOMINPUT -s 222.186.30.110 -j DROP
        for BLACKLIST in `cat $BLACKLIST`; do
         iptables -D CUSTOMINPUT -s $BLACKLIST -j DROP
         #echo "dropping $BLACKLIST ..."
        done
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac


Let me know whether this does to the trick for you.
Note, this will add about 10.000 IPs to be blocked from traffic from LAN/green+blue => WAN/Internet/red. Also this might take some time to reload - so you own risk. It does work on my ipfire nicely.

Check the webui FIREWALL/IPTABLES to see the IPs added to block sending data to.

If this is running for you I might improve the script and add it to the how-to or wiki.

cheers

burningpenguin
Posts: 173
Joined: December 5th, 2012, 7:37 pm

Re: [Feature Request] Peergaurdian CLI $$

Post by burningpenguin » March 4th, 2014, 8:31 pm

Nobody brave enough to give this script a try?
It works for me fine and it add security esp. in case a PC within the LAN is hijacked / infected / etc.

Post Reply