Sir,<br><br>Thank you.<br><br>---<br>sandeil<br><br><b><i>Costa Tsaousis <costa@tsaousis.gr></i></b> wrote:<blockquote class="replbq" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> seekuel wrote:<br>> Hello,<br>><br>> My linux box is used as a gateway to the internet and uses firehol for <br>> a while. The setup works great but with a little problem. I need to <br>> block p2p on my gateway so that the clients will not be able to <br>> download from p2p and torrent. Is there a way that firehol be setup to <br>> block this p2p and torrent uploads/downloads.<br>There is no easy way, and there will always be workarounds for the users <br>to bypass the block.<br>My suggestion for blocking p2p is this:<br><br>1. Don't use 'client all accept' or 'route all accept'. Allow only <br>specific client requests towards the Internet.<br>For example: allow http, https, smtp, pop3, imap, etc but try to avoid <br>the service
'all' or 'any'.<br><br>2. Since the above will give you many blocked content too (for <br>webservers not listening on the standard http, https ports) I suggest to <br>setup a proxy (squid), which should be used by your users to reach web <br>content. Keep in mind however that many P2P protocols may be able to <br>tunnel their connections through the proxy. For better results, I <br>suggest the proxy to require authentication from its clients.Check your <br>proxy documentation on how to avoid p2p tunneling through it.<br><br>3. Another (complementary) way could be to use special kernel iptables <br>modules that sniff the packets passing through the firewall and provide <br>iptables matches based on the content of the packets. This however can <br>be easily bypassed by encrypting the P2P packets, and you may have a <br>hard time keeping your kernel updated with these modules.<br><br>I suggest however to consider rate-limiting all unknown traffic, so low <br>that it will make
it unusable.<br>This can be a very good practice, since p2p clients can detect blocks <br>and find workarounds. If however you rate-limit them, the clients will <br>assume they are connected to their default ports and will not attempt to <br>find any workarounds. This means that P2P will work, but it will not be <br>any useful!<br>Google for traffic shaping tools and check the howto at: <br>http://lartc.org/lartc.html.<br><br>Costa<br><br></blockquote><br><p> __________________________________________________<br>Do You Yahoo!?<br>Tired of spam? Yahoo! Mail has the best spam protection around <br>http://mail.yahoo.com