From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Adrian C." Subject: Re: how to protect against peer-to-peer? Date: Mon, 22 Nov 2004 15:53:54 +0200 Message-ID: <60a7468904112205532cc2467@mail.gmail.com> References: <200411221127.53218.fluca1978@infinito.it> <001a01c4d098$b63639f0$530a0a0a@rutgersinsurance.com> Reply-To: "Adrian C." Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <001a01c4d098$b63639f0$530a0a0a@rutgersinsurance.com> Sender: linux-admin-owner@vger.kernel.org List-Id: Content-Type: text/plain; charset="us-ascii" To: Adam Lang Cc: linux-admin@vger.kernel.org This is what i use. It disables torrents, emule, dc++. Kazaa.. don't know. But this can be used even over port 80 or much simplier over http tunnel. Be advised that BitComet and Azureus clients use a different range of ports. You have to look for them yourself. They are not included here. --Adrian. #cutoff emule/torrent iptables -A FORWARD -p tcp -m multiport --dports 6881,6882,6883,6884,6885,6886,6887,6888,6889,1214 -j REJECT iptables -A FORWARD -p udp -m multiport --dports 6881,6882,6883,6884,6885,6886,6887,6888,6889,1214 -j REJECT iptables -A FORWARD -p tcp -m multiport --dports 6346,6347 -j REJECT iptables -A FORWARD -p udp -m multiport --dports 6346,6347 -j REJECT iptables -A FORWARD -p tcp -m multiport --dports 4711,4665,4661,4672,4662,8080,9955 -j REJECT iptables -A FORWARD -p udp -m multiport --dports 4711,4665,4661,4672,4662,8080,9955 -j REJECT iptables -A FORWARD -p tcp --dport 4242:4299 -j REJECT iptables -A FORWARD -p udp --dport 4242:4299 -j REJECT iptables -A FORWARD -p tcp --dport 6881:6999 -j REJECT iptables -A FORWARD -p udp --dport 6881:6999 -j REJECT On Mon, 22 Nov 2004 08:39:38 -0500, Adam Lang wrote: > Two ways to go about it. > > First, block ALL outgoing ports and open only those needed to work (port 80 > from the Squid machine, etc.) > > Second, have management reprimand the people that have these programs > installed on their computers. If they continue them, management has to take > action. Also, they should put out a definitive policy on such use first and > then give a "week amnesty period". > > The only truly effective way to deal with such programs is through > management. Put will find out emule isn't so great when it costs them their > jobs. > > > ----- Original Message ----- > From: "Luca Ferrari" > To: > Sent: Monday, November 22, 2004 5:27 AM > Subject: how to protect against peer-to-peer? > > > Hi, > > in my network users are increasing the amount of peer-to-peer traffic > (e-mule, > > winmx), how can I deny the above traffic? I'm using iptables and squid on > my > > linux firewall, but I don't know if there's a specific port to lock or > > something else I can use to recognize the "bad" packet in the network > > traffic. > > > > Thanks, > > Luca > > -- > > Luca Ferrari, > > fluca1978@infinito.it > > > > > > - > > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > - > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >