pgl seems to be OK.
Seems to do exactly what it says to ip_tables - putting its rules in its own chains, and merely pre-pending those chains to everyone else’s. Documentation notes indicate that it delays starting until all other firewalls / ip_tables impacting services have.
It only rejects, based on given rules and block lists, or permits per whitelist (overriding its rules and block lists) - which is to say, permits evaluation to continue through the chains present if it wasn’t, and therefore permitting those chains to themselves reject traffic just as they did prior.
I can see it explicitly permits (doesn’t reject) local interface networks and whonix’s DNS (10.0.2.3), out of the box. i.e. By default should not break your environment.
It says it now includes a watchdog to restart upon blockage. (A problem with the Linux iplist project wherein a failure in fetching / processing shuts down all traffic. e.g. A parsing or website down error. Both are supposed to revert to the prior downloaded list in such cases, but a bug in iplist seems to regularly prevent that - leaving you mysteriously unable to communicate at all. [Simply restarting iplist resolves the issue - but you’re mysteriously incommunicado in the mean time.] Appears pgl has taken steps to try to address that.)
Good notes at:
- (and) https://sourceforge.net/p/peerguardian/wiki/pgl-FAQ/
Add repo to sources.d, e.g. /etc/apt/sources.list.d/pgl.list:
deb http://moblock-deb.sourceforge.net/debian wheezy main
deb-src http://moblock-deb.sourceforge.net/debian wheezy main
apt-get update ; apt-get install pglcmd pgld pglgui
Appears to do as intended / expected (you’re loading block lists, after all) / does no harm at install.
Be advised: YMMV - every situation is different. Check after install that your particular setup still works - e.g. if you are using non-standard ip’s in your virtual lan, you may find them blocked until you adjust pgl accordingly.
Although I am not specifically endorsing the package, here, I am explicitly not rejecting it. I can say that in my own experience, for my own situation and environment, it works for me. And probably will for you, if you are looking for and understand the nature of (blacklist) ip_tables blocking / management.
NOTE: As Patrick points out … pgl use will likely change your fingerprint - for the things that -aren’t- there vis a vis the rest of the internet. If this is not good / acceptable for your use case - don’t use it. The point of whonix is to keep as large a haystack as possible in which actors have to try and pinpoint a very small needle (you). pgl use will make the size of that haystack smaller. Perhaps much smaller, but personally I don’t expect so - unless your normal activity would make you a target of the most prevalent actors looking for such. (So bloggers, I’m guessing, likely have fewer actors worldwide looking for them.) Even if you thus put yourself in this smaller haystack, they still have to (want to) find you, and the whole point of whonix, or you wouldn’t be using it, or here to read this, is to diminish their ability to uniquely identify, target, and find you.
Mind you - one of the ways they might find you is to attack you (by diminishing your ability to access the internet) or try to infect you (perhaps with something that phones home flagging where you really are), and using such lists and rejecting such traffic will likely diminish the ability to, or efficacy of, such attacks.
Defence in depth may well apply here.
* Note: By default, whonix only permits TCP traffic to TOR. Using pgl can only degrade performance, since all traffic now goes through an additional pass/fail evaluation process. I believe whonix already has defensive measure in place for protection from bad TOR nodes, effected at the next routing change - by default every 10 minutes. If you use pgl, make sure you don’t block your TOR nodes, or you will be unhappy.
* Note: Similarly, if you are using a VPN or proxy, make sure pgl doesn’t block them, or you will be similarly unhappy. It is conceivable that pgl will prevent you from interacting with bad VPN or proxy IPs, but presumably you checked such out before making such settings in the first place.
YMMV. Use at your own risk. But works for me.