* p2p: any suggestion?
@ 2005-04-28 17:28 Luca Ferrari
2005-04-28 20:39 ` Glynn Clements
0 siblings, 1 reply; 2+ messages in thread
From: Luca Ferrari @ 2005-04-28 17:28 UTC (permalink / raw)
To: linux-admin
Dear admins,
I've got a network of mine with a quite standard and simple configuration: a
linux firewall with iptables and squid as web proxy. Now I'm fighting against
p2p, and using the ipt_p2p and ipt_ipp2p modules I blocked p2p, until my
users start using the proxy as a way to use p2p. My proxy has a simple rule
mechanism, that deny access selecting source ips and mac address at the same
time, but since a few users (like the boss) are unlocked, a few users start
changing their ip/mac address in order to get unconditioned access. Now the
question, as yuo can see, is: how can I block them? I found that using the
browser rule in squid I can block p2p http headers, but other programs like
microsoft money or antivirus update (avg) cannot work no more. Has anyone did
tis before? Any suggestion to definetively block this? Could dhcp solve the
problem, locking a mac to a specific ip and thus denying the ip/mac changes?
Thanks,
Luca
--
Luca Ferrari,
fluca1978@infinito.it
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: p2p: any suggestion?
2005-04-28 17:28 p2p: any suggestion? Luca Ferrari
@ 2005-04-28 20:39 ` Glynn Clements
0 siblings, 0 replies; 2+ messages in thread
From: Glynn Clements @ 2005-04-28 20:39 UTC (permalink / raw)
To: fluca1978; +Cc: linux-admin
Luca Ferrari wrote:
> I've got a network of mine with a quite standard and simple configuration: a
> linux firewall with iptables and squid as web proxy. Now I'm fighting against
> p2p, and using the ipt_p2p and ipt_ipp2p modules I blocked p2p, until my
> users start using the proxy as a way to use p2p. My proxy has a simple rule
> mechanism, that deny access selecting source ips and mac address at the same
> time, but since a few users (like the boss) are unlocked, a few users start
> changing their ip/mac address in order to get unconditioned access. Now the
> question, as yuo can see, is: how can I block them? I found that using the
> browser rule in squid I can block p2p http headers, but other programs like
> microsoft money or antivirus update (avg) cannot work no more. Has anyone did
> tis before? Any suggestion to definetively block this?
Either:
a) require users to connect to the proxy via a VPN which requires
authentication, or
b) use intelligent switches which allow you to lock ports to a
specific MAC address.
Option b) requires buying new hardware, but it is transparent to the
user.
> Could dhcp solve the problem, locking a mac to a specific ip and
> thus denying the ip/mac changes?
Not if users can change their MAC addresses.
--
Glynn Clements <glynn@gclements.plus.com>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-04-28 20:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-28 17:28 p2p: any suggestion? Luca Ferrari
2005-04-28 20:39 ` Glynn Clements
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).