From: Kristian Hald <kristian@hald.net>
To: netfilter@lists.netfilter.org
Subject: Re: how to block p2p
Date: Thu, 11 Mar 2004 15:47:50 +0100 [thread overview]
Message-ID: <40507C16.3070304@hald.net> (raw)
In-Reply-To: <40506957.8050609@o2.pl>
Hello,
> - dont block normal P2P ports. it wont solve much becouse the user or
> the program (kazaa automaticly) changes ports to avoid such block.
> besides if you dont block the port you can easily spot P2P connections
> in program like IPTRAF(which helps diagnosing)
> - do QoS on your router forcing every packet from HTTP.. to have
> prioroty over nonstandart ports.
> - to filter connections on normal ports(HTTPS) use layer-7 filters
> like squid (for http,ftp and https), for other programs
> (SMTP,POP3,NEWS...) user layer-7 filters
> - this should help you squash around 95% of downloaders. the other 5%
> you r going to slay using IPTRAF+normal user punishing :D
>
> One more thing which is the good. P2P programs like to use a lot of
> connections. Limit number of connections per user to lets say 20-30
> (im guessing here :). this is the easyiest to do with a proper
> Iptables filter :)
I'm more for blocking P2P standard ports, but remember to log
information on those ports, since Edonkey and other try to connect to
other users who use standard ports. These are then registered and
blocked, so you are both able to log and secure that they can't use any
Bandwidth.
Specifically with Kazaa I'm using the FTwall(P2PWall) from sourceforge.
It blocks Kazaa quite well.
The user can offcourse change the port, but I would recommend blocking
connections going to standard P2P ports(Blocking both src and dest
ports). That way alot of connections are denied, thereby not using
Bandwidth.
QoS is a good idea if there are services you know you'll need, like
mail, SSH, HTTP and so on. (Going to do that in the next firewall update)
Best regards
Kristian Hald
next prev parent reply other threads:[~2004-03-11 14:47 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-11 8:37 how to block p2p Tomasz Macioszek
2004-03-11 9:01 ` Ray Leach
2004-03-11 8:59 ` Antony Stone
2004-03-11 9:21 ` Eric Leblond
[not found] ` <003301c40749$b68e4280$2a245cc2@cea05>
2004-03-11 9:26 ` Antony Stone
2004-03-11 9:39 ` Alexander Samad
2004-03-11 10:17 ` Kristian Hald
2004-03-11 9:10 ` Antony Stone
2004-03-11 9:38 ` Alexander Samad
2004-03-11 13:27 ` Krystian
2004-03-11 14:47 ` Kristian Hald [this message]
2004-03-11 18:00 ` Bob Keyes
2004-04-05 15:05 ` Michael Gale
2004-04-05 15:09 ` Michael Gale
-- strict thread matches above, loose matches on Subject: below --
2004-03-11 11:27 Babar Kazmi
2004-03-11 11:45 ` Antony Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40507C16.3070304@hald.net \
--to=kristian@hald.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox