[Firehol-support] Block p2p
seekuel
sandeil_tenebro at yahoo.com
Fri Nov 9 00:30:45 GMT 2007
Sir,
Bellow is the a part of the configuration for firehol.conf and the error encountered when generating the rules. I don't really have a clear understanding on how to do a custom port accept. What did I do wrong?
Thank you
---------------------------------------------------------------------------------------------------------
router lan2internet inface eth1 outface eth0
masquerade
# route all accept
route "icmp dns webcache ssh" accept
route tcp/46501 accept
route tcp/47000 accept
route tcp/2812 accept
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
[root at proxy1 firehol]# /etc/init.d/firehol start
FireHOL: Saving your old firewall to a temporary file: [ OK ]
FireHOL: Processing file /etc/firehol/firehol.conf:/bin/touch: cannot touch `/tmp/.firehol-tmp-27480-15697-15437/chains/in_lan2internet_tcp/46501_s5': No such file or directory
/bin/touch: cannot touch `/tmp/.firehol-tmp-27480-15697-15437/chains/out_lan2internet_tcp/46501_s5': No such file or directory
--------------------------------------------------------------------------------
ERROR #: 1
WHAT : Running simple rules for server 'tcp/46501'
WHY : Cannot accept an empty 'proto'.
COMMAND: route tcp/46501 accept
SOURCE : line 48 of /etc/firehol/firehol.conf
--------------------------------------------------------------------------------
ERROR #: 2
WHAT : Running simple rules for server 'tcp/46501'
WHY : Simple service 'tcp/46501' returned an error (1).
COMMAND: route tcp/46501 accept
SOURCE : line 48 of /etc/firehol/firehol.conf
/bin/touch: cannot touch `/tmp/.firehol-tmp-27480-15697-15437/chains/in_lan2internet_tcp/47000_s6': No such file or directory
/bin/touch: cannot touch `/tmp/.firehol-tmp-27480-15697-15437/chains/out_lan2internet_tcp/47000_s6': No such file or directory
--------------------------------------------------------------------------------
ERROR #: 3
WHAT : Running simple rules for server 'tcp/47000'
WHY : Cannot accept an empty 'proto'.
COMMAND: route tcp/47000 accept
SOURCE : line 49 of /etc/firehol/firehol.conf
--------------------------------------------------------------------------------
ERROR #: 4
WHAT : Running simple rules for server 'tcp/47000'
WHY : Simple service 'tcp/47000' returned an error (1).
COMMAND: route tcp/47000 accept
SOURCE : line 49 of /etc/firehol/firehol.conf
/bin/touch: cannot touch `/tmp/.firehol-tmp-27480-15697-15437/chains/in_lan2internet_tcp/2812_s7': No such file or directory
/bin/touch: cannot touch `/tmp/.firehol-tmp-27480-15697-15437/chains/out_lan2internet_tcp/2812_s7': No such file or directory
--------------------------------------------------------------------------------
ERROR #: 5
WHAT : Running simple rules for server 'tcp/2812'
WHY : Cannot accept an empty 'proto'.
COMMAND: route tcp/2812 accept
SOURCE : line 50 of /etc/firehol/firehol.conf
--------------------------------------------------------------------------------
ERROR #: 6
WHAT : Running simple rules for server 'tcp/2812'
WHY : Simple service 'tcp/2812' returned an error (1).
COMMAND: route tcp/2812 accept
SOURCE : line 50 of /etc/firehol/firehol.conf
NOTICE: No changes made to your firewall.
[FAILED]
FireHOL: Restoring old firewall:
---------------------------------------------------------------------------------------------------------
---
sandeil
Costa Tsaousis <costa at tsaousis.gr> wrote: seekuel wrote:
> Hello,
>
> My linux box is used as a gateway to the internet and uses firehol for
> a while. The setup works great but with a little problem. I need to
> block p2p on my gateway so that the clients will not be able to
> download from p2p and torrent. Is there a way that firehol be setup to
> block this p2p and torrent uploads/downloads.
There is no easy way, and there will always be workarounds for the users
to bypass the block.
My suggestion for blocking p2p is this:
1. Don't use 'client all accept' or 'route all accept'. Allow only
specific client requests towards the Internet.
For example: allow http, https, smtp, pop3, imap, etc but try to avoid
the service 'all' or 'any'.
2. Since the above will give you many blocked content too (for
webservers not listening on the standard http, https ports) I suggest to
setup a proxy (squid), which should be used by your users to reach web
content. Keep in mind however that many P2P protocols may be able to
tunnel their connections through the proxy. For better results, I
suggest the proxy to require authentication from its clients.Check your
proxy documentation on how to avoid p2p tunneling through it.
3. Another (complementary) way could be to use special kernel iptables
modules that sniff the packets passing through the firewall and provide
iptables matches based on the content of the packets. This however can
be easily bypassed by encrypting the P2P packets, and you may have a
hard time keeping your kernel updated with these modules.
I suggest however to consider rate-limiting all unknown traffic, so low
that it will make it unusable.
This can be a very good practice, since p2p clients can detect blocks
and find workarounds. If however you rate-limit them, the clients will
assume they are connected to their default ports and will not attempt to
find any workarounds. This means that P2P will work, but it will not be
any useful!
Google for traffic shaping tools and check the howto at:
http://lartc.org/lartc.html.
Costa
Respectfully yours,
Sandeil C. Tenebro, E.C.E.
Linux Registered User #384410
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20071108/0b054aa8/attachment-0003.html>
More information about the Firehol-support
mailing list