Hi. How I can block all connections from the p2p programs (Emule, Bittorrent, etc.) with Shorewall? Thank you very much. Bye. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
shacky wrote:>How I can block all connections from the p2p programs (Emule, >Bittorrent, etc.) with Shorewall?Short answer - you can''t ! These programs have had a lot of effort put into them to make them work in all sorts of broken networks. If it was as simple as blocking (for example) SMTP then all you would need to do was block connections attempts to a well known port. However, these systems are designed to work in an agile manner because so many networks have routers/firewalls that are either broken because they were designed by numpties, or broken because someone thought they could block p2p ! You might want to search the archives for some more involved answers to previous queries along those lines - there were some suggestions. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Mon, Nov 26, 2007 at 08:29:03PM +0000, Simon Hobson wrote:> shacky wrote: > > >How I can block all connections from the p2p programs (Emule, > >Bittorrent, etc.) with Shorewall? > > Short answer - you can''t ! > > ... > > You might want to search the archives for some more involved answers > to previous queries along those lines - there were some suggestions.My general approach is to block all connections to and from untrusted systems. Mail goes through the local mail server, web access goes through squid, DNS goes through bind. It still won''t stop anybody who really wants to and knows what they''re doing. I could get past it. I figure that anybody like that deserves to get past it. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> Short answer - you can''t !So the only way is to remove the masquerading and to use a Squid and allow only the port 80 (not the 443) and disable the connect method on the port 80? ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Mon, Nov 26, 2007 at 11:30:55PM +0100, shacky wrote:> > Short answer - you can''t ! > > So the only way is to remove the masquerading and to use a Squid and > allow only the port 80 (not the 443) and disable the connect method on > the port 80?No, but it''s one way. All the others are similarly invasive. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andrew Suffield wrote:> On Mon, Nov 26, 2007 at 11:30:55PM +0100, shacky wrote: > >>> Short answer - you can''t ! >>> >> So the only way is to remove the masquerading and to use a Squid and >> allow only the port 80 (not the 443) and disable the connect method on >> the port 80? >> > > No, but it''s one way. All the others are similarly invasive. > >I have setup squid as a transparent proxy, and configured redirect rules in shorewall. I have then severely throttled 443 Almost all other ports are blocked with exception of 25 and587 for SMTP, and 110 for POP3 I have found this to be affective for hobbling most P2P and Skype as well. They will still actually "work", but they are so slow (P2P) or jitterey (Skype) that the users just give up. Regarsd, T ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
What about using the Application Layer Packet Classifier for Linux (http://l7-filter.sourceforge.net/) to block p2p programs? A friend of mine told me that in his college he can''t use Emule for all, and HTTPS connections are not disabled. The network of the college allows the connections to the 22, 110, 143 and 993 ports without passing through the proxy, and the 80 and 443 ports only using the proxy. This is made only with opensource software, but he doesn''t know what programs are used to make this... Can you understand something about this configuration? ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Tue, Nov 27, 2007 at 01:17:26AM +0100, shacky wrote:> What about using the Application Layer Packet Classifier for Linux > (http://l7-filter.sourceforge.net/) to block p2p programs?It is possible, somewhat unpolished, slower than it ought to be, and less than perfectly reliable. All that for quite a significant amount of work in setting it up.> A friend of mine told me that in his college he can''t use Emule for > all, and HTTPS connections are not disabled.This may merely mean that he isn''t very good at bypassing firewalls. With any security system, "I couldn''t beat it" is not particularly useful information. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> It is possible, somewhat unpolished, slower than it ought to be, and > less than perfectly reliable. All that for quite a significant amount > of work in setting it up.Couldn''t I test it? How I can use L7-Filter with Shorewall? Or you advise me to use a proxy instead of L7-Filter? ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/