[Firehol-support] Block p2p
costa at tsaousis.gr
Wed Nov 7 09:19:07 GMT 2007
> My linux box is used as a gateway to the internet and uses firehol for
> a while. The setup works great but with a little problem. I need to
> block p2p on my gateway so that the clients will not be able to
> download from p2p and torrent. Is there a way that firehol be setup to
> block this p2p and torrent uploads/downloads.
There is no easy way, and there will always be workarounds for the users
to bypass the block.
My suggestion for blocking p2p is this:
1. Don't use 'client all accept' or 'route all accept'. Allow only
specific client requests towards the Internet.
For example: allow http, https, smtp, pop3, imap, etc but try to avoid
the service 'all' or 'any'.
2. Since the above will give you many blocked content too (for
webservers not listening on the standard http, https ports) I suggest to
setup a proxy (squid), which should be used by your users to reach web
content. Keep in mind however that many P2P protocols may be able to
tunnel their connections through the proxy. For better results, I
suggest the proxy to require authentication from its clients.Check your
proxy documentation on how to avoid p2p tunneling through it.
3. Another (complementary) way could be to use special kernel iptables
modules that sniff the packets passing through the firewall and provide
iptables matches based on the content of the packets. This however can
be easily bypassed by encrypting the P2P packets, and you may have a
hard time keeping your kernel updated with these modules.
I suggest however to consider rate-limiting all unknown traffic, so low
that it will make it unusable.
This can be a very good practice, since p2p clients can detect blocks
and find workarounds. If however you rate-limit them, the clients will
assume they are connected to their default ports and will not attempt to
find any workarounds. This means that P2P will work, but it will not be
Google for traffic shaping tools and check the howto at:
More information about the Firehol-support