Package Details: pgl-cli 2.3.1-1

Git Clone URL: https://aur.archlinux.org/pgl-cli.git (read-only)
Package Base: pgl-cli
Description: A privacy oriented firewall application (Daemon & CLI).
Upstream URL: http://sourceforge.net/projects/peerguardian/
Licenses: GPL3
Conflicts: pgl, pgl-git
Provides: pgl
Submitter: Gilrain
Maintainer: Gilrain
Last Packager: Gilrain
Votes: 27
Popularity: 0.003494
First Submitted: 2011-08-25 13:04
Last Updated: 2016-01-14 14:34

Latest Comments

jre commented on 2016-01-22 00:57

Patches are of course always welcome. However please note that we are currently finally working on the code touching /tmp. When we're done /tmp will only be touched by pglcmd.

Gilrain commented on 2016-01-21 20:46

> The package tries to install /tmp with different permissions.

That's an upstream problem: compiling the software creates a bunch of (unnecessary) standard directories. Feel free to look at the source's makefiles and submit a patch.

bo0ts commented on 2016-01-21 17:57

The package tries to install /tmp with different permissions.

pacman -Ql pgl-cli | grep tmp
pgl-cli /tmp/

graysky commented on 2015-05-04 19:32

Crazy. It's working now.. must be gremlins.

Gilrain commented on 2015-05-04 19:30

No problems here on an up to date system (same kernel).

graysky commented on 2015-05-04 19:18

Under linux 4.0.1-1-ARCH, pgl fails with this in the log:
Error 170: Could not load kernel module xt_NFQUEUE, not starting pgld! ... failed!

Thoughts? Upstream bug?

pientro commented on 2015-03-07 08:38

Please add arch=('armv7h') ...

It works!

graysky commented on 2015-01-25 21:50

It's just systemd that needed to be present in addition to your others. I think only base-devel and anything it drags down are not needed.

graysky commented on 2015-01-25 20:42

It's just systemd that needed to be present in addition to your others. I think only base-devel and anything it drags down are needed.

Gilrain commented on 2015-01-25 20:34

@graysky: I had assumed that since systemd and a bunch of other tools are part of the base group, they need not be listed as dependencies but I couldn't find an official word on this except in https://wiki.archlinux.org/index.php/Arch_User_Repository#Foo_in_AUR_does_not_compile_when_I_run_makepkg.3B_what_should_I_do.3F

The deps are now listed to the last, should help.

graysky commented on 2015-01-25 14:08

You need to add 'systemd' as a makedepend or else the required service and timers do not build (must be detected in the ./configure step or something.

graysky commented on 2015-01-25 13:53

Seems as though this version is missing the service and timer files:
% pacman -Ql pgl-cli
pgl-cli /etc/
pgl-cli /etc/NetworkManager/
pgl-cli /etc/NetworkManager/dispatcher.d/
pgl-cli /etc/NetworkManager/dispatcher.d/20pglcmd
pgl-cli /etc/dbus-1/
pgl-cli /etc/dbus-1/system.d/
pgl-cli /etc/dbus-1/system.d/org.netfilter.pgl.conf
pgl-cli /etc/logrotate.d/
pgl-cli /etc/logrotate.d/pglcmd
pgl-cli /etc/logrotate.d/pgld
pgl-cli /etc/pgl/
pgl-cli /etc/pgl/allow.p2p
pgl-cli /etc/pgl/blocklists.list
pgl-cli /etc/pgl/blocklists.local/
pgl-cli /etc/pgl/pglcmd.conf
pgl-cli /run/
pgl-cli /tmp/
pgl-cli /usr/
pgl-cli /usr/bin/
pgl-cli /usr/bin/blockcontrol2pglcmd
pgl-cli /usr/bin/pglcmd
pgl-cli /usr/bin/pglcmd.wd
pgl-cli /usr/bin/pgld
pgl-cli /usr/lib/
pgl-cli /usr/lib/pgl/
pgl-cli /usr/lib/pgl/libdbus.so
pgl-cli /usr/lib/pgl/pglcmd.defaults
pgl-cli /usr/lib/pgl/pglcmd.lib
pgl-cli /usr/lib/pgl/pglcmd.main
pgl-cli /usr/share/
pgl-cli /usr/share/doc/
pgl-cli /usr/share/doc/pgl/
pgl-cli /usr/share/doc/pgl/BUGS
pgl-cli /usr/share/doc/pgl/README.blocklists
pgl-cli /usr/share/doc/pgl/README.dbus
pgl-cli /usr/share/doc/pgl/examples/
pgl-cli /usr/share/doc/pgl/examples/iptables-custom-insert.sh
pgl-cli /usr/share/doc/pgl/examples/iptables-custom-remove.sh
pgl-cli /usr/share/man/
pgl-cli /usr/share/man/man1/
pgl-cli /usr/share/man/man1/pgld.1.gz
pgl-cli /var/
pgl-cli /var/lib/
pgl-cli /var/lib/pgl/
pgl-cli /var/log/
pgl-cli /var/log/pgl/
pgl-cli /var/spool/
pgl-cli /var/spool/pgl/

graysky commented on 2014-12-04 19:03

Seems like a perfect solution. I also found the comments in /etc/pgl/pglcmd.conf pointing to the package defaults very useful. Thanks.

jre commented on 2014-12-03 23:31

I guess setting in pglcmd.conf:
LOG_LOGFILE="1"
LOG_SYSLOG="0"

graysky commented on 2014-12-03 22:36

Is there an easy way to disable the journalctl integration and have the script default to /var/log/pgl as with previous versions?

Gilrain commented on 2014-06-07 09:14

Now that Arch migrated to systemd timer, I thought it was time to make the jump with pgl:

Cron is no longer a dependency, the pgl-update timer being enabled when pgl.service is itself enabled.
Upgrading requires reenabling pgl.service to load the timer and a system reboot or manually starting pgl-update.timer.

Gilrain commented on 2014-05-26 09:16

After inspecting my logs and source code I cannot find anything that would trigger a call to _sslverify.py from pgl.
However, I did find the same message in an other program which indeed uses twisted.
Sorry but unless someone can provide more evidence, I don't think pgl is the cause of the error.

Gilrain commented on 2014-05-25 19:00

I've some trouble understanding how twisted comes into this when pgl doesn't use python: only shell scripts and some c, while the lists themselves are downloaded by wget.
Nevertheless, I'll look into it.

graysky commented on 2014-05-25 14:45

@Gilrain - Proposal for you to add the the following as an optdep: python2-service-identity

graysky commented on 2014-05-25 14:39

@Gilrain - Proposal for you to add the the following as an optdep: python-service-identity

willemw commented on 2014-05-25 12:54

https://aur.archlinux.org/packages/flexget/ comment mentions a similar error.

graysky commented on 2014-05-25 11:09

Anyone else getting this warning?

% sudo pglcmd update
Updating blocklists and reloading PeerGuardian Linux: pgld/usr/lib/python2.7/site-packages/twisted/internet/_sslverify.py:184: UserWarning: You do not have the service_identity module installed. Please install it from <https://pypi.python.org/pypi/service_identity>. Without the service_identity module and a recent enough pyOpenSSL tosupport it, Twisted can perform only rudimentary TLS client hostnameverification. Many valid certificate/hostname mappings may be rejected.
verifyHostname, VerificationError = _selectVerifyImplementation()

Gilrain commented on 2014-04-24 08:41

@vee.aur: your suggestion is already implemented, albeit dynamically and without iproute2 support.

Take a look at the "# Whitelist the DNS server(s)" and the following "# Automatically whitelist LAN of all up interfaces" sections of <http://sourceforge.net/p/peerguardian/code/ci/master/tree/pgl/pglcmd/pglcmd.lib>.

For the latter to work, you need the optional net-tools package which provides the required ifconfig.

Of course, you could submit your one-liner as a patch against pglcmd.lib to get rid of this obsolete dependency :-)

vee.aur commented on 2014-04-23 23:13

Idea: how about an option to pre-populate the allow.p2p with something like this: echo -e "$(cat /etc/resolv.conf) \n$(ip route) \n$(ip a | grep inet)" | /bin/grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort -nu


in the build:

for x in $(echo -e "$(cat /etc/resolv.conf) \n$(ip route) \n$(ip a | grep inet)" | /bin/grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort -nu); do
echo "self:$x-$x" >> pglcmd/allow.p2p
done

vee.aur commented on 2014-04-23 23:08

Idea: how about an option to pre-populate the allow.p2p with something like this:

echo -e "$(cat /etc/resolv.conf) \n$(ip route) \n$(ip a | grep inet)" | /bin/grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort -nu

msx commented on 2013-10-16 03:23

"(if only developers would realize how unreasonable it is to start a firewall after the network is up…)"
Totally, as transmissions that are already initiated won't break up just because a firewall is started later :S

Anyways, I just stopped by to thank you for creating the build scripts.

Gilrain commented on 2013-07-04 08:41

No, it was never needed. UFW loads ip(6)tables through its own scripts.
Furthermore, the service file now lists 8 iptables based firewalls by default to ensure pgl is properly set up (if only developers would realize how unreasonable it is to start a firewall after the network is up…).

graysky commented on 2013-07-03 19:36

@Gilrain - For users of ufw, is it still recommended to create:
/etc/systemd/system/pgl.service which contains the following?


.include /usr/lib/systemd/system/pgl.service

[Unit]
After=iptables.service

Gilrain commented on 2013-06-13 07:13

* 2.2.2-6 :
definitely solves the initial blocklists download problem (TimeoutStartSec=0),
iptables and shorewall added to firewalls list.

graysky commented on 2013-06-03 19:44

Nice, thank you for the quick fix, Gilrain.

Gilrain commented on 2013-06-03 09:12

* 2.2.2-5 :
RemainAfterExit solves the startup timing out,
fixed pgld.log access when using "pglcmd test",
added tcptraceroute as an optional dependency.

Gilrain commented on 2013-06-02 16:30

When issuing a "pglcmd test", it looks for the results of the tests in the syslog or directly in pgld.log. By setting LOG_LOGFILE=0, it can no longer find the latter and since pgl is not journald aware the test fails.

I will update the package to leave LOG_LOGFILE alone.

graysky commented on 2013-06-02 13:21

Ah, I see you did: http://pkgbuild.com/git/aur-mirror.git/commit/pgl-cli?id=31bda47ab7d1a25d185e86f58c89734673d1de68

If I remove those two sed lines in the build function, everything works as expected. Problem with my system or with your code?

graysky commented on 2013-06-02 13:19

This release adds problems for me; did you mess with syslog function?

# pglcmd test
Testing PeerGuardian Linux:
CAUTION: This is just a simple test to check if PeerGuardian Linux blocks
outgoing connections. For this, an IP from the blocklist will be pinged. Then
the test checks if this IP appears in /var/log/syslog.
pgld marks packets to be blocked. This means you have to make sure that the
marked packets are also blocked later (with appropriate iptables rules). If you
are using the default configuration and pgld is started after other firewalls
this will be the case.
This test does not check if you have sane iptables rules. Therefore success
doesn't imply that everything is working as you expect it.

Also have a look at "pglcmd status".

Trying to ping 1.23.95.94 from /var/lib/pgl/master_blocklist.p2p ...
/usr/lib/pgl/pglcmd.lib: line 2309: /var/log/syslog: No such file or directory
/usr/lib/pgl/pglcmd.lib: line 2317: /var/log/syslog: No such file or directory
/usr/lib/pgl/pglcmd.lib: line 2319: [: : integer expression expected
pgld did not mark the IP to be blocked.
1.23.95.94 did not answer the ping.

No clear test result! Trying "tcptraceroute -n -m 2 1.23.95.94 12345" now:
tcptraceroute not installed.

Gilrain commented on 2013-06-01 11:48

Exactly, I was waiting for the imminent new release to upload this change, but jre seems to take his time ;-)

* 2.2.2-4 :
improved service menu to start after some firewalls
forks service instead of using dbus
pgld.log accessible through journald
move everything to /usr/bin

graysky commented on 2013-06-01 10:10

Need to add '--sbindir=/usr/bin' to configure step to comply with new move to /usr/bin I think.

Gilrain commented on 2013-05-16 16:19

* 2.2.2-3 :
deletes pgl spool on package removal,
added condition checks to service file,
updated dbus dependency (was dbus-core),
initscript script and post upgrade notice removed.

graysky commented on 2012-12-01 13:55

This is a major failing of systemd... not having a firewall.target. Need to open a bug upstream.

https://bugs.freedesktop.org/show_bug.cgi?id=57773

graysky commented on 2012-12-01 13:40

This is a major failing of systemd... not having a firewall.target. Need to open a bug upstream.

Gilrain commented on 2012-12-01 08:02

@tsr-nc: I've mixed feelings about your suggestion. It's true that pgl should be loaded after iptables rules are set up but I don't think it's up to the developer (or packager in this case) to list every conceivable iptables based firewall in "After=". Since the choice of firewall is left to the user, maybe it's best to let him or her edit pgl.service to suit their need. Although, a "firewall.target" could be a good compromise, beyond the scope of this simple package.

However, I will edit the wiki page to mention that it might be a good idea to list other firewalls in "After=" (be they ufw, shorewall, etc.). Here's the short of it:

- Create "/etc/systemd/system/pgl.service" with the following content:
.include /usr/lib/systemd/system/pgl.service

[Unit]
After=iptables.service
- Issue "# systemctl reenable pgl.service" to activate it.

tsr-nc commented on 2012-11-30 15:44

please add this to /usr/lib/systemd/system/pgl.service for systemd compatibility
Requires=iptables.service
After=iptables.service

Gilrain commented on 2012-11-13 08:43

dbus is now enabled by default since systemd requires it anyway.

pgl 2.2.2

[jre]
* changed default to not log to syslog (LOG_SYSLOG="0")
* fixed pending ";" in IP_REMOVE results in empty blocklist
* added "env" to the example WGET_OPTS for proxies. Closes: SF bug #3581707
* fixed reading ipfilter.dat lines which contain a : in the decription
* updated documentation

[hasufell]
* added gentoo init script, accessible via --with-gentoo-init
* cleaned up configure.ac (AM_CFLAGS)

[freemind]
* fixed bug that prevented apply button from getting enabled.
* modified iptables related functions to use always port numbers and not
names (fix)
* fixed pglgui crashes if you try to whitelist permanently, while pgl is not
running.
* code refacturing

Gilrain commented on 2012-04-26 08:59

@trex279: I'm sorry but I cannot reproduce your problem, both with makepkg or directly on a specially crafted set of files.
The only explanation I can see is that your local PKGBUILD has, somehow, a different sed line than the one posted online.

trex279 commented on 2012-04-26 05:27

I get an error when I try to build it:

~/build/pgl-cli/PKGBUILD: line 30: /bin/sed: Argument list too long
==> ERROR: A failure occurred in build().
Aborting...

Gilrain commented on 2012-04-20 08:21

@ponsfoot: logrotate files have been added to the backup array. Thanks for reporting.

ponsfoot commented on 2012-04-19 15:13

Hi,
Could you add the following files into backup=()?
/etc/logrotate.d/pglcmd
/etc/logrotate.d/pgld
Thx.

Anonymous comment on 2012-01-28 20:54

Thank you Gilrain (see? got it right this time -_- )
I was using the PKGBUILD in the tarball.

Now everything is working fine.

Fabio.

Gilrain commented on 2012-01-28 20:13

@SnowDruid: The "last update" refers to the modified PKGBUILD (revision number 2.1.3-2 replacing 2.1.3-1) which got rid of the DBUS dependency. You must recompile your package using the updated PKGBUILD/Archive to benefit from this.
Pardon the lack of clarity.

Anonymous comment on 2012-01-28 19:12

Hello again Gilran, thanks for the reply.

I'm using the last update:
[root@doom ~]# pgld

ERROR: No blocklist specified!

pgl 2.1.3

pgl is licensed under the GNU General Public License v3, or (at your option)
any later version. This program comes with ABSOLUTELY NO WARRANTY. This is
free software, and you are welcome to modify and/or redistribute it.

I'm sorry - I don't think I understand. Maybe I'm missing something, but looking at /var/log/errors.log it seems the program looks for dbus.

Fabio.

Gilrain commented on 2012-01-28 18:59

@SnowDruid: the last update no longer needs a running dbus daemon to function.

Anonymous comment on 2012-01-28 18:52

Hello Gilran

I'm new to Archlinux and I'm trying to install gpl-cli using PKGBUILD. The machine is a fresh install, with only sshd, samba and bind installed using pacman.

I ran the install process, updated the lists fine (gplcmd update) - now when I try to start the daemon with:

[root@doom ~]# rc.d start pgl
Starting PeerGuardian Linux: pgld failed!

in /var/log/errors.log

Jan 28 19:48:39 doom pgld: ERROR: Connection Error (Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory)
Jan 28 19:48:39 doom pgld: ERROR: dbconn is NULL.
Jan 28 19:48:39 doom pgld: ERROR: Cannot initialize D-Bus

dbus is installed:

[root@doom ~]# pacman -Ss dbus
core/dbus-core 1.4.16-1 [installed]
Freedesktop.org message bus system
extra/dbus 1.4.16-1 [installed]
Freedesktop.org message bus system
extra/dbus-glib 0.98-1 [installed]
GLib bindings for DBUS

Any ideas on how to solve this? Thanks in advance.
Fabio.

graysky commented on 2011-11-19 14:41

@Gilran - thanks for the quick support! I updated the file per your instruction

WHITE_TCP_OUT="http https ntp"
WHITE_TCP_IN="55311" # ssh
WHITE_IP_OUT="192.168.0.0/24"
WHITE_IP_IN="192.168.0.0/24"

The odd thing is the deprecated net-tools package has been and is currently installed.

# which ifconfig
/sbin/ifconfig

Gilrain commented on 2011-11-19 14:03

Eureka! I've found the culprit. pgl uses "ifconfig" to list network interfaces and since Arch dropped it in favour of "ip", WHITE_LOCAL="1" doesn't work as expected. The author is aware of the problem as seen in the TODO file ;-)
In the meantime either use the WHITE_IP_* settings or install the deprecated "net-tools" package.

Gilrain commented on 2011-11-19 13:39

After going through my iptables rules (# iptables --list) I can see that WHITE_LOCAL="1" (enabled by default) doesn't create a specific rule for my LAN. I'll investigate further...

@graysky: The following is needed to allow IPv4 traffic on your LAN:
WHITE_IP_OUT="192.168.0.0/24"
#WHITE_IP_IN="192.168.0.0/24" # uncomment only if the computer hosts services like SSH, HTTP, SAMBA, etc.

As for my server conf file, it white lists every incoming ports except one which is filtered by the block lists:
WHITE_TCP_IN="0:79 81:65535"

While this allows outgoing connections to various servers potentially in the lists:
WHITE_TCP_OUT="ntp http https http-alt"
WHITE_UDP_OUT="domain"

graysky commented on 2011-11-19 12:01

Thanks Gilrain!

Maggie is right, this is the same behavior on my system. I start pgl manually when needed. Does this happen to you to Gilrain?
Gilrain - please post your /etc/pgl/pglcmd.conf

Here is mine that doesn't auto whitelist:

WHITE_TCP_OUT="http https"
WHITE_IP_IN="192.168.0.2"

Where 192.168.0.2 is my workstation.

Gilrain commented on 2011-11-19 08:02

@graysky: pids are in /var/run; /run is for early programs like udev. /run/daemon simply maintains a list of running daemon for the rc.d program. I'll try to adapt the init script to add this functionality.
@maggie: Do you start the pgl daemon after setting up the network? e.g. DAEMONS=(... network @pgl ...). If so you might want to take a look at the # Whitelist IPs # section in /usr/lib/pgl/pglcmd.defaults and submit a bug report on sourceforge.

graysky commented on 2011-11-18 12:45

@Gilrain - just realized that you need to Arch-ize the init script for pgl. It needs to place a pid file in /run/daemons, no?

maggie commented on 2011-11-13 12:10

Something is wrong with this package's feature that whitelists all LAN traffic. I looked in the config file and it is setup to do this, but ssh traffic to the machine on my lan from another machine on my lan is blocked when pgl is running.

graysky commented on 2011-10-31 12:35

Nice, thanks!

Gilrain commented on 2011-10-28 10:13

@graysky: All lists could potentially prevent access to online resources. If you feel that something should be changed in the default configuration, please contact the author.
For this reason and to follow on @maggie's comment, I created https://wiki.archlinux.org/index.php/PeerGuardian_Linux where you can find information on how best to configure pgl.

graysky commented on 2011-10-23 13:17

Suggest you comment out the following list in /etc/pgl/blocklists.list because it blocks many legit web sites on the host machine (line 48):

http://list.iblocklist.com/lists/tbg/business-isps

maggie commented on 2011-10-15 08:43

This is a very nice package. I was using moblock but just found it this. The wikipedia says that moblock is no longer actively developed and that pgl is its successor. http://en.wikipedia.org/wiki/MoBlock

Gilrain commented on 2011-10-15 08:41

@graysky: Thanks for your input. The modifications have been made.

graysky commented on 2011-10-15 08:16

Suggest you add the key word "peerguardian" to the pkgdesc to allow folks to find this pkg.
Also suggest using the sourceforge page's url rather than phoenixlabs --> http://sourceforge.net/projects/peerguardian

Great PKG!