Hello to all. I want to block hopster (http://www.hopster.com/) to drop tunnel connections. It´s possible using shorewall? Very thanks Wilson Galafassi ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Thursday 13 April 2006 14:42, Wilson A. Galafassi Jr. wrote:> Hello to all. > > I want to block hopster (http://www.hopster.com/) to drop tunnel > connections. > > It´s possible using shorewall? >No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Odd, I''m just starting a similar service, only using tunneling over HTTPS (port 443) and using OpenVPN. Hopster, I believe, can be blocked by blocking the IP ranges their servers use (or DNS addresses). A similar service (httptunnel) used server2.httptunnel.com, which made it easy to look up and find IPs for. I recommend a per-IP approach. I would recommend using the service yourself, and sniffing their IP or domain name(s). Good luck... Jan On 13/04/06, Wilson A. Galafassi Jr. <wilson.galafassi@gmail.com> wrote:> > Hello to all. > > I want to block hopster (http://www.hopster.com/) to drop tunnel > connections. > > It´s possible using shorewall? > > Very thanks > > Wilson Galafassi > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
On Thursday 13 April 2006 14:51, Jan Mulders wrote:> Odd, I''m just starting a similar service, only using tunneling over HTTPS > (port 443) and using OpenVPN. Hopster, I believe, can be blocked by > blocking the IP ranges their servers use (or DNS addresses). A similar > service (httptunnel) used server2.httptunnel.com, which made it easy to > look up and find IPs for. I recommend a per-IP approach. I would recommend > using the service yourself, and sniffing their IP or domain name(s). >And tomorrow, they will be hosted somewhere else -- using IP address filtering to stop this sort of thing is a never-ending job. That''s why I prefer to use different solutions (such as Squid/Dansguardian). Of course, I speak for a position of indifference -- if my wife and my dog want to use that sort of service, I''m not going to try to stop them :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
It´s possible using squid/dansguardian? How? -----Mensagem original----- De: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] Em nome de Tom Eastep Enviada em: quinta-feira, 13 de abril de 2006 18:56 Para: shorewall-users@lists.sourceforge.net Cc: Jan Mulders Assunto: Re: [Shorewall-users] block hopster On Thursday 13 April 2006 14:51, Jan Mulders wrote:> Odd, I''m just starting a similar service, only using tunneling over HTTPS > (port 443) and using OpenVPN. Hopster, I believe, can be blocked by > blocking the IP ranges their servers use (or DNS addresses). A similar > service (httptunnel) used server2.httptunnel.com, which made it easy to > look up and find IPs for. I recommend a per-IP approach. I would recommend > using the service yourself, and sniffing their IP or domain name(s). >And tomorrow, they will be hosted somewhere else -- using IP address filtering to stop this sort of thing is a never-ending job. That''s why I prefer to use different solutions (such as Squid/Dansguardian). Of course, I speak for a position of indifference -- if my wife and my dog want to use that sort of service, I''m not going to try to stop them :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
I do not know the specifics, but I believe if you ''cap'' the number of HTTP POST/GET requests to the same server using Squid rules, within short spaces of time, you can cripple it. HTTP tunneling is notoriously hard to block, but speaking from experience RIPE allocations for strange IP ranges are quite difficult to get hold of. (ie, they''ll try to give you ones close to your existing range) Depends on the scale of the operation - how many users do you have, and how concerned are they going to be if the service is slow? Jan On 13/04/06, Wilson A. Galafassi Jr. <wilson.galafassi@gmail.com> wrote:> > It´s possible using squid/dansguardian? How? > > -----Mensagem original----- > De: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net] Em nome de Tom Eastep > Enviada em: quinta-feira, 13 de abril de 2006 18:56 > Para: shorewall-users@lists.sourceforge.net > Cc: Jan Mulders > Assunto: Re: [Shorewall-users] block hopster > > On Thursday 13 April 2006 14:51, Jan Mulders wrote: > > Odd, I''m just starting a similar service, only using tunneling over > HTTPS > > (port 443) and using OpenVPN. Hopster, I believe, can be blocked by > > blocking the IP ranges their servers use (or DNS addresses). A similar > > service (httptunnel) used server2.httptunnel.com, which made it easy to > > look up and find IPs for. I recommend a per-IP approach. I would > recommend > > using the service yourself, and sniffing their IP or domain name(s). > > > > And tomorrow, they will be hosted somewhere else -- using IP address > filtering > to stop this sort of thing is a never-ending job. That''s why I prefer to > use > > different solutions (such as Squid/Dansguardian). > > Of course, I speak for a position of indifference -- if my wife and my dog > want to use that sort of service, I''m not going to try to stop them :-) > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
I have about 100 users. thanks _____ De: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] Em nome de Jan Mulders Enviada em: quinta-feira, 13 de abril de 2006 19:05 Para: shorewall-users@lists.sourceforge.net Assunto: Re: [Shorewall-users] block hopster I do not know the specifics, but I believe if you ''cap'' the number of HTTP POST/GET requests to the same server using Squid rules, within short spaces of time, you can cripple it. HTTP tunneling is notoriously hard to block, but speaking from experience RIPE allocations for strange IP ranges are quite difficult to get hold of. (ie, they''ll try to give you ones close to your existing range) Depends on the scale of the operation - how many users do you have, and how concerned are they going to be if the service is slow? Jan On 13/04/06, Wilson A. Galafassi Jr. <wilson.galafassi@gmail.com> wrote: It´s possible using squid/dansguardian? How? -----Mensagem original----- De: shorewall-users-admin@lists.sourceforge.net [mailto: <mailto:shorewall-users-admin@lists.sourceforge.net> shorewall-users-admin@lists.sourceforge.net] Em nome de Tom Eastep Enviada em: quinta-feira, 13 de abril de 2006 18:56 Para: shorewall-users@lists.sourceforge.net Cc: Jan Mulders Assunto: Re: [Shorewall-users] block hopster On Thursday 13 April 2006 14:51, Jan Mulders wrote:> Odd, I''m just starting a similar service, only using tunneling over HTTPS > (port 443) and using OpenVPN. Hopster, I believe, can be blocked by > blocking the IP ranges their servers use (or DNS addresses). A similar > service (httptunnel) used server2.httptunnel.com, which made it easy to > look up and find IPs for. I recommend a per-IP approach. I would recommend> using the service yourself, and sniffing their IP or domain name(s). >And tomorrow, they will be hosted somewhere else -- using IP address filtering to stop this sort of thing is a never-ending job. That''s why I prefer to use different solutions (such as Squid/Dansguardian). Of course, I speak for a position of indifference -- if my wife and my dog want to use that sort of service, I''m not going to try to stop them :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmdlnk <http://sel.as-us.falkag.net/sel?cmdlnk&kid%110944&bid$1720&dat%121642> &kid0944&bid$1720&dat1642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Jan Mulders escribió:> I do not know the specifics, but I believe if you ''cap'' the number of HTTP > POST/GET requests to the same server using Squid rules, within short spaces > of time, you can cripple it. > > Depends on the scale of the operation - how many users do you have, and how > concerned are they going to be if the service is slow? > > Jan >BE careful with this though. it can ends causing more trouble and annoyance than good.
I find the ''user control'' issue in general a sliding scale: Effective & obtrusive to users <--------------> ineffective and unobtrusive to users IP Blocking is closer to Ineffective and Unobtruisive, and will probably do if you can identify users who are using Hopster''s servers (ie, they''re using loads of bandwidth). Squid and some advanced rules is Effective, but also obtrusive to users, as it''s borderline content control. You may end up making them rely on the service, if it blocks things that they''d normally have access to. You might want to consider a different solution - use a package (can''t remember the name offhand) that will sniff traffic on an interface, and allow you to create detailed per-user statistics on it. Hopster and the like use many connections, so if you identified a user who was making 4,000 connections a day to one website, and it wasn''t google, you''d probably have your culprit. Once again, it''s a matter of how much time and effort you''re willing to invest. You might be better off giving them an ear-bashing instead, and maybe talk to some higher-ups to see if you can enforce some punishments. Fear is a very powerful tool. Jan On 13/04/06, Cristian Rodriguez <judas_iscariote@shorewall.net> wrote:> > Jan Mulders escribió: > > I do not know the specifics, but I believe if you ''cap'' the number of > HTTP > > POST/GET requests to the same server using Squid rules, within short > spaces > > of time, you can cripple it. > > > > Depends on the scale of the operation - how many users do you have, and > how > > concerned are they going to be if the service is slow? > > > > Jan > > > > BE careful with this though. it can ends causing more trouble and > annoyance than good. > > > >
Jan Mulders escribió:> You might want to consider a different solution - use a package (can''t > remember the name offhand) that will sniff traffic on an interface, and > allow you to create detailed per-user statistics on it. Hopster and the like > use many connections, so if you identified a user who was making 4,000 > connections a day to one website, and it wasn''t google, you''d probably have > your culprit.Also there is a posibility of restrcit desktop apps installation or execution. You might be better off giving them an ear-bashing instead, and> maybe talk to some higher-ups to see if you can enforce some punishments.I like this last solution hehe :-) but do not always work. maybe not punishment, but education about the acceptable use policies.not all tech problems, have tech solutions ;-)> Fear is a very powerful tool.one of the most powerful on earth ;)