From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Taylor, Grant" Date: Wed, 27 Apr 2005 05:22:13 +0000 Subject: Re: [LARTC] IP2P & Skype question Message-Id: <426F2185.4040009@riverviewtech.net> List-Id: References: <426CEBC7.9050505@pbltd.net> In-Reply-To: <426CEBC7.9050505@pbltd.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org > Yes, I too have been reading these things asking myself why one would > allow users such open access. One reason, of course, is that it is > difficult to allow some http but not other, so if the port is 80, it > pretty much has to be OK. So how would squid (or anything else except > perhaps Level 7) know that this particular connection is A Bad Thing? One word, er name, Squid (Caching Proxy). Squid is *WONDERFUL* Squid has saved my life *SO* many times. The ACL system, though difficult to understand at first, is extremely flexible and easy to work with once you get down Squid's syntax. I can easily define an ACL as such: acl my_acl_name dstdomain .domain_I_dont_like.tld http_access deny my_acl_name Squid works completely inside of the HTTP (layer 7) protocol, or FTP protocol, or many other protocols. These are just some of the benefits of using an application layer gateway. > I have been successful at limiting the number of FTP connections per > user using iptables' connlimit and helper. That's where I'd start. And > if three turned out to be too many, I'd reduce connlimit to 2 for HTTP > and 1 for FTP. > iptables -N HTTP > iptables -A HTTP -p tcp -m connlimit --connlimit-above 3 -j DROP > iptables -A HTTP -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A HTTP -j RETURN If the traffic that you are trying to connlimit is internal to your LAN I would recommend that you REJECT the traffic as this will prevent the client user agents from having to time out. > iptables -A FORWARD -p tcp --dport 80 -j HTTP > iptables -A FORWARD -p tcp --sport 80 -j HTTP > iptables -A FORWARD -m helper --helper ftp -j HTTP > > In conjunction with my ACL (posted here a while back; it limits specific > users to specific ports), the above would not be total deny, but it sure > would put a dent in abuse. Grant. . . . _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc