From mboxrd@z Thu Jan 1 00:00:00 1970 From: "hare ram" Subject: Re: Blocking file type by iptables? Date: Mon, 25 Aug 2003 11:10:00 +0530 Sender: netfilter-admin@lists.netfilter.org Message-ID: <007e01c36acb$59e39be0$c2bf09ca@Housecall> References: <20030825025854.10696.qmail@web20712.mail.yahoo.com> Reply-To: "hare ram" Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0079_01C36AF9.6CEEDBE0" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: ads nat , netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_0079_01C36AF9.6CEEDBE0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi If you want to block Kazaa use STRING from POM, it will work great=20 hare ----- Original Message -----=20 From: ads nat=20 To: George Vieira ; netfilter@lists.netfilter.org=20 Sent: Monday, August 25, 2003 8:28 AM Subject: RE: Blocking file type by iptables? Even if you block all ports except 80. Kazza manages to access through = port 80. So I don't think this will work. Thanks George Vieira wrote: No because this is a bad idea. not only does the CPU have a bad day = goign through every packet sniffing for file extensions but also that = other innocent data can get blocked when it shouldn't be.. 1. The only thing you can do is block all outgoing/incoming ports = and allow only some (25,80) 2. Use transparent squid proxy to limit access and get it to use = regex expressions on URLs you may also want to block. 3. Block any and all MSN/Kazaa/ICQ servers addresses You could also setup a fake primary DNS domain like aol.com and = icq.com and point to yourself... this is what I've done for ICQ to stop = those damn ADs.. if the clients can't resolve the DNS for those domains = then they also can't connect. But then they get smart and put a hosts = file in their machine.. ;) Thanks, ____________________________________________ George Vieira Citadel Computer Systems Pty LtdSystems Managergeorgev AT = citadelcomputer DOT com DOT au Citadel Computer Systems Pty Ltd Phone : +61 2 9955 2644HelpDesk: +61 2 9955 = 2698http://www.citadelcomputer.com.au -----Original Message----- From: ads nat [mailto:adsnat@yahoo.com] Sent: Monday, August 25, 2003 2:22 AM To: netfilter@lists.netfilter.org Subject: Blocking file type by iptables? Hi, I have gone through mail archives to check whether can be blocked. I = also checked squid mailing list. But thre is no definite solution to = block kazza file downloads. I would like t know whether using iptables = can i block particular type of file. If I block .mpeg, .mp3 files = through IPtables then it does not matter from which site file is coming. = It will get blocked. Any suggestion and solutions. Thanks -------------------------------------------------------------------------= --- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software=20 -------------------------------------------------------------------------= ----- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software ------=_NextPart_000_0079_01C36AF9.6CEEDBE0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi
 
If you want to block Kazaa
use STRING from POM, it will work great =
 
hare
----- Original Message -----
From:=20 ads = nat
To: George Vieira ; netfilter@lists.netfilter.o= rg=20
Sent: Monday, August 25, 2003 = 8:28=20 AM
Subject: RE: Blocking file type = by=20 iptables?

Even if you block all ports except 80. Kazza manages to access = through=20 port 80. So I don't think this will work.
Thanks

George Vieira <georgev@citadelcomputer.co= m.au>=20 wrote:
No=20 because this is a bad idea. not only does the CPU have a bad day = goign=20 through every packet sniffing for file extensions but also that = other=20 innocent data can get blocked when it shouldn't = be..
 
1.=20 The only thing you can do is block all outgoing/incoming ports and = allow=20 only some (25,80)
2.=20 Use transparent squid proxy to limit access and get it to use regex=20 expressions on URLs you may also want to block.
3.=20 Block any and all MSN/Kazaa/ICQ servers = addresses
 
You could also setup a fake primary DNS domain like aol.com = and=20 icq.com and point to yourself... this is what I've done for ICQ to = stop=20 those damn ADs.. if the clients can't resolve the DNS for those = domains then=20 they also can't connect. But then they get smart and put a hosts = file in=20 their machine.. ;)
 
 
 
 

Thanks,

 
____________________________________________George=20 Vieira
 Citadel Computer Systems Pty Ltd Systems=20 Manager georgev=20 AT citadelcomputer DOT com DOT au
Citadel Computer Systems Pty Ltd
Phone : +61 2 9955=20 2644 HelpDesk: +61 2 9955=20 2698 http://www.citadelcomputer.co= m.au
 
 
-----Original Message-----
From: ads nat=20 [mailto:adsnat@yahoo.com]
Sent: Monday, August 25, 2003 = 2:22=20 AM
To: netfilter@lists.netfilter.org
Subject: = Blocking=20 file type by iptables?

Hi,
I have gone through mail archives to check whether can be = blocked. I=20 also checked squid mailing list. But thre is no definite solution to = block=20 kazza file downloads. I would like t know whether using iptables can = i block=20 particular type of file. If I block .mpeg, .mp3 files through = IPtables then=20 it does not matter from which site file is coming. It will get=20 blocked.
Any suggestion and solutions.
Thanks

Do you Yahoo!?
Yahoo!=20 SiteBuilder - Free, easy-to-use web site design software =

Do you Yahoo!?
Yahoo!=20 SiteBuilder - Free, easy-to-use web site design=20 software ------=_NextPart_000_0079_01C36AF9.6CEEDBE0--