[Firehol-support] howto block p2p in network

Costa Tsaousis costa at tsaousis.gr
Mon Dec 29 23:21:05 GMT 2003


I am afraid you will not be able to block all P2P applications.
More specifically, kazaa seems to adjust itself to the environment and
even use port 80 to communicate with the kazaa servers. This makes it
almost impossible to block kazaa (blocking port 80 blocks the web too).

I have done some search on the net about this, and although I found
significantly varying responses to similar questions, I consider the
following as the best practices:

1. If you are trying to block P2P in a corporate environment, try to
enforce policies that will eliminate the problem. Not all problems are
solved with technical solutions, and generally speaking, people that
want their jobs tend to follow the policies set by higher management.

2. If you cannot control the policies, you can rate-limit (throttle)
kazaa to use too little bandwidth to be useful. Since kazaa first tries
the default kazaa ports and if it cannot connect with those, falls back
to alternatives, rate limiting the well known kazaa ports will allow you
to control it even if it appears to work. Keep in mind though that this
means you are willing to play a cat-mouse game as kazaa evolves...

If however none of the above is good for you, you can search the net for
various solutions applied and experiment to see the results. Personally,
I wouldn't suggest that - it will be just a time waste.

Costa


On Παρ, 2003-12-12 at 14:53, Moacyr Leite da Silva wrote:
> Hi,
> 
> 
> Can some help to block p2p in my network? I tryed the config bellow with no
> luck.
> 
> Regards
> Moacyr
> 
> 
> ####
> version 5
> 
>         server_kaaza_ports="tcp/3531"
>         client_kaaza_ports="default"
> 
>         transparent_squid 8080 "squid root" inface eth1
> 
> 
> interface eth0 internet src not "${UNROUTABLE_IPS}"
> 
>         policy drop
>         protection strong
>         server ident reject with tcp-reset
> 
>         server http     accept
>         server https    accept
>         server dns      accept
>         server smtp     accept
>         server ssh      accept
>         server jabberd  accept
>         server jabber   accept
>         server kaaza    deny
> 
>         client all accept
> 
> interface eth1 lan
> 
>         policy accept
> 
>         server all accept
> 
>         client all accept
> 
> 
> router lan2internet inface eth1 outface eth0
>         masquerade
>         route kaaza deny
>         route "http https ftp" accept
>         route "ssh ntp ping" accept
>         route "GRE AH ESP isakmp pptp" accept
>         route "vnc irc msn" accept
> 






More information about the Firehol-support mailing list