anebi@iguanait.com wrote:
> I added these rules in /etc/shorewall/rules to drop all packages from
> the internal network.
>
> DROP loc:192.168.2.0/24 net ipp2p:all
> DROP net loc:192.168.2.0/24 ipp2p:all
>
> Are they enough to drop the packages from this network (because i want
> to drop them, without marking)?
>
> Or i need to set them by different way to get effective control under
> packets that are going thru the server?
Those rules will do nothing if you put them in the NEW section of the rules
file. And if you put them in the ESTABLISHED section, they will eat a great
number of CPU cycles. If you extend them to mark connections in an attempt
to save CPU cycles, then you run the significant risk of running out of
conntrack entries because the marked connections cannot be shut down properly.
That is why we recommend that you try to control P2P bandwidth utilization
rather than try to stop it outright. And if you really want to try to stop
it, you have to proxy EVERY CONNECTION from your local net and use the proxy
to do the filtering.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/