[Firehol-support] Block p2p

seekuel sandeil_tenebro at yahoo.com
Thu Nov 8 13:07:47 GMT 2007


Sir,

Thank you.

---
sandeil

Costa Tsaousis <costa at tsaousis.gr> wrote: seekuel wrote:
> Hello,
>
> My linux box is used as a gateway to the internet and uses firehol for 
> a while. The setup works great but with a little problem. I need to 
> block p2p on my gateway so that the clients will not be able to 
> download from p2p and torrent. Is there a way that firehol be setup to 
> block this p2p and torrent uploads/downloads.
There is no easy way, and there will always be workarounds for the users 
to bypass the block.
My suggestion for blocking p2p is this:

1. Don't use 'client all accept' or 'route all accept'. Allow only 
specific client requests towards the Internet.
For example: allow http, https, smtp, pop3, imap, etc but try to avoid 
the service 'all' or 'any'.

2. Since the above will give you many blocked content too (for 
webservers not listening on the standard http, https ports) I suggest to 
setup a proxy (squid), which should be used by your users to reach web 
content. Keep in mind however that many P2P protocols may be able to 
tunnel their connections through the proxy. For better results, I 
suggest the proxy to require authentication from its clients.Check your 
proxy documentation on how to avoid p2p tunneling through it.

3. Another (complementary) way could be to use special kernel iptables 
modules that sniff the packets passing through the firewall and provide 
iptables matches based on the content of the packets. This however can 
be easily bypassed by encrypting the P2P packets, and you may have a 
hard time keeping your kernel updated with these modules.

I suggest however to consider rate-limiting all unknown traffic, so low 
that it will make it unusable.
This can be a very good practice, since p2p clients can detect blocks 
and find workarounds. If however you rate-limit them, the clients will 
assume they are connected to their default ports and will not attempt to 
find any workarounds. This means that P2P will work, but it will not be 
any useful!
Google for traffic shaping tools and check the howto at: 
http://lartc.org/lartc.html.

Costa



 __________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20071108/a553a18b/attachment-0003.html>


More information about the Firehol-support mailing list