I would look at a commercial web filtering product like Smartfilter and then run this on top of Squid, all inside your firewall/router/traffic shaping box. And then use Smartfilter to restrict downloads of any MP3 or other stuff like that. The Smartfilter subscription should keep up with the rapidly moving IP Addresses of these things and then you can set filtering policies at an application level. Imho it''s a losing battle to set application filtering policies at the packet level. - Greg Scott -----Original Message----- From: GoMi [mailto:gomiuk@hotmail.com] Sent: Tuesday, May 13, 2003 7:54 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] KaZZaa and connection sequences -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, i am having big touble wiht traffic shaping and kazza, by any reason, it seems to collapse all the system. I have a firewall to stop users using p2p programs during day time, and then its totally free for them to access anywhere during night-time. First problem Problem... KaZZa During day-time, there are kazza servers accepting connections on pot 80, and because i cant filter that port, my users can dowload. I have tried to study the sequence of kazza programs using tcpdump, but i got no conclusions, Does anybody know how to distinguish between HTTP connections and KaZZa? Second Problem... KaZZa (hehehe) During night-time, i register lots of ack packets due to kazza programs, anybody in the same situation? I just red about layer-7 filtering, but i cant change my kernel right now, so i want to try as much as i can with packet filtering.. Anybody here? Thank You GoMi -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPsDqz37diNnrrZKsEQKkTwCeMuH0YpDT7Qxg6XMdycivAYUqgM4AniF0 fo6yBE3P1OqqZrKHt5t7fxaf =Z00o -----END PGP SIGNATURE----- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi,> I just red about layer-7 filtering, but i > cant change my kernel right now, so i want to try as much as i can with > packet filtering.. Anybody here?I don''t think you will be able to do anything about it without Layer-7 filtering. I think (and I may be wrong in this for the time being) that KaZaA uses SSL, so reading the payload content is going to be impossible. However, if there are servers running on port 80, you can see if it looks like a valit HTTP request. If it doesn''t you drop it, because it is probably some kind of a P2P application using the port. I don''t know how good the current generation of P2P applications is at masquerading as legitimate HTTP traffic. tcpdump will tell you more about that. Unfortunately, there are also likely to be servers out there that run on port 443 (HTTPS), which you probably cannot or don''t want to block. And since that is supposed to run over SSL, you are rather out of luck... Same goes for any valid port used for SSL communication. So, in conclusion, even Layer-7 filtering will not help you if/when the communication is encrypted... Regards. Gordan _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> > >I don''t think you will be able to do anything about it without Layer-7 >filtering. I think (and I may be wrong in this for the time being) that KaZaA >uses SSL, so reading the payload content is going to be impossible. >kazaa most definately does not use ssl. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Original Message: ----------------- From: GoMi gomiuk@hotmail.com>Hi there, i am having big touble wiht traffic shaping and kazza, by any >>reason, it seems to collapse all the system. I have a firewall to stopusers >using p2p programs during day time, and then its totally free for them to >>access anywhere during night-time.>First problem Problem... KaZZa >During day-time, there are kazza servers accepting connections on pot 80, >>and because i cant filter that port, my users can dowload. I have triedto >study the sequence of kazza programs using tcpdump, but i got no conclusions, Does anybody know how to distinguish between HTTP connections>>and KaZZa?Kazaa is hard to stopped, did u already know that when you sniff your clients connection using Kazaa, there are random tcp port range from 1214 until 4000 connecting from your clients to random and numerous ips outside. So perhaps you need to shape all protocols going to your clients. That worked for me. If you want in daylight is just for web browsing you could use Squid as Bandwidth Limiter with its Delay Pool, and IPTABLES to block all outgoing connection except port 80. Regards, Rio Martin. -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/