Peer Guardian problem.

**Hi! ** :slight_smile:
I compiled the last pgl version, on OpenSUSE (with KDE) 13.1 x64 (but I also have the same problem with the previous pgl repo versions).

Entering at GUI for whitelisting, the ports 80 and 443 and clicking OK (leaving the defaults Outgoing and TCP), failing with the message “80 doesn’t work over TCP. 443 doesn’t work over TCP”.
Here’s a screenshot:

Does someone else uses this program?
Was he able, to succesfully configure it?
TIA! :slight_smile:

Looks to me exactly as described.
Outbound ports 80 and 443 are closed.

Although this can be at a firewall, IMO this more likely a configuration in the application you’re running (eg torrent app).


I disabled altogether firewall, permanently.
I configured my router’s firewall instead (firewall, port forwarding etc.).
I don’t have KTorrent running, while I’m trying to setup PG.

I don’t have a clue, what this cryptic message, means! :slight_smile:
There are two unstable repositories with the previous version (which I tried) and I combilled the latest version here, however I posted just in case someone already dealt with it and found a solution.
My personal opinion is, when a program doesn’t have a package at the official repositories, you don’t have a guaranty that it will work at your distribution of preference.

PS. I tried also IPBlock (from the same repositories), but (since it’s ~4y. abandoned) didn’t worked either.

Don’t know what you’re trying to do.
To me, Peer Guardian and the like generally generate IP block lists usually distributed in the eMule format (IIRC - There is plenty around to verify).

So, I don’t generally run an app dedicated to the block list generator, I configure an application that understands how to read the format to regularly import updated lists.

Along the same line, any firewall that understands the block list format can probably use the list.


Indeed I was trying to use the emule blocklists. :slight_smile:

  1. Setting a hardware firewall to work with them, would be an excellent solution maybe, but I doubt the router’s firewall has so many possibilities, as they have the expensive ones for big intranets.
  2. Indeed most torrent clients (including KTorrent and Azureus) has nowadays the option for handling these blocklists.
    a) The downside is, that they can bypassed by a possible intruder, because they’re client-application based.
    Managing the blocklists with Peer Guardian, offers the same functionallity, but at the OS-Firewall level (that can’t be bypassed).
    b) Also, this way the administrator can use blocklists without using a torrent client (eg. denying access to specific sites).
    This can be achieved of course from firewall’s setup, but it’s difficult enough (you have to know all the related IPs).

Before starting down this path, I recommend you read up various opinions about what you’re trying to do. For many years now, the recommendation has been that these blocklists are ineffective. They’re incomplete, easy for exploiters to poison and through the use of proxies circumvent. You’ll also have as likely a possibly of false positives (denying you legitimate access to resources) as false negatives.

So, these kinds of blocklists still live on as recognized limited measures for very specific use, not general purpose use. There are other blocklists that are more often used… eg IP address ranges assigned to countries. If you observe attacks coming from a particular country and have no legitimate reason to connect to a machine in that country, then the entire country can be blocked. That’s different than a dynamically changing list of IP addresses contributed by volunteers which may or may not be vetted sufficiently.

So, general practice is to block using a different policy, not using dynamically generated block lists, eg when access attempted over an unauthorized port then create a block based on that individual attempt. But, even then be careful. Plenty of networks regularly probe the hosts on their own network actively so you need to avoid blocking your own ISP access.


Indeed I’ve read an article, that ip filtering is ~35% effective (that means an enormous 65% ineffective). :slight_smile:
Still, it’s better than nothing.

On the other hand, blocking entire regions, is not a PC viable solution (although it’s a good choice for enterprise networks).
Most listed bad IPs are US based (eg. Microsoft), but I don’t want to blacklist all USA IPs!
I’m not a heavy downloader nowadays, but I still conidering ip filtering, a must for (PC) torrent users.

Sidenote: IP filtering can be always enabled (even if you don’t bother with torrents) and block some annoying (or even malicious) IPs (advertisers, spammers, fishers or even malware spreaders (although the last can’t harm a Linux system)).
My own conclusion (that may be wrong of course), is that ip filtering can’t be an alternative for common sence, nor can protect you from your own stupid actions, but still it’s better than nothing. :slight_smile:

PS. I was trying (a few years ago) to convince a friend of mine from phoenix labs, to install Linux and give it a try and he responded me, that Linux is maybe better than Windows and open source and everything, but it doesn’t have a peer guardian like solution (it didn’t).
Thankfully, nowadays we have PG (even 35% effective). :slight_smile:
Again, this is my own experience. Your mileway, may vary of course.

Instead of blocking IPs, you’ll probably find it more effective to simply harden your machine.
Make sure there are no unnecessary exposed ports, and if you do open a port make sure the service behind the port is fully updated and configured properly.

Configure a firewall (or firewalls) to manage the exposure. If you want stronger protection, the firewall should support “stateful inspection” although that term is frequently abused by marketing. Better/Best firewall protection is to use a Proxy Firewall. That means that no connection is made directly to your machine, it’s terminated at the proxy and then after inspection a new connection is made on the other side to the desired destination. Proxy firewalls can manage connections in both directions. An example is if someone tried to launch a malicious attack on a known vulnerability on your machine. Since the attacker’s connection is to the Proxy, the Proxy does not have the same functionality as your own machine running abundant applications and functions. So, the attacker ends up trying to compromise a machine which does not have the necessary vulnerability and the Proxy can refuse to forward the request to the real target.

You can also probably more effectively protect your machine by installing apps that actively respond to questionable network activity like denyhosts and arpwatch. A truly powerful firewall likely also supports similar functionality (dynamically generating its own internal blocklist based on questionable network activity), but be sparing and careful about how you implement to avoid false positives.


Well, I’m always hardening my system as much as possible. :slight_smile:
Still, blocklisting is a quick and dirty solution, that I can apply everywhere.

I’m installing (from time to time) Linux at my friends systems, in order to give them a taste of the freedom world and to get their hands dirty with penguins world.
I really don’t have so much time to spend, only for extending the hardening to the maximum.
It isn’t my job and I just don’t have, so much time.
Once again, blocklists are coming handy. :slight_smile:

One last thing I forgot to mention that could greatly improve performance…

Install one of those newer NICs that support offloading and <with Linux support>.

The idea is that there is a lot of network garbage that has become normal facing the Internet, eg legitimate probing, illegitimate probing, neighboring boxes which send out tons of broadcasts, etc.

NICs that support offloading will filter out a lot of that garbage at the NIC instead of passing upwards to the OS creating kernel “busy work.”


The last git version, works like a dream! rotfl!

Thank you all and specially the developers jre-phoenix and freespirit!!!