Hi, we have installed Centos 5 x864_64 with shorewall. I compiled today ipp2p and i want to use it with shorewall. I have read the page for ipp2p on shorewall official site. What i want is to drop p2p packages using ipp2p and shorewall, how can i do that ? Behind this server we have a network (192.168.0.1/24). I want to block possible p2p traffic from this network and maybe to allow this kind of traffic for particular ips. I will be happy if someone help me. Thanks in advanced! Regards, Ali Nebi! ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB
anebi@iguanait.com wrote:> Hi, > > we have installed Centos 5 x864_64 with shorewall. > > I compiled today ipp2p and i want to use it with shorewall. I have read > the page for ipp2p on shorewall official site. > > What i want is to drop p2p packages using ipp2p and shorewall, how can > i do that ? > > Behind this server we have a network (192.168.0.1/24). I want to block > possible p2p traffic from this network and maybe to allow this kind of > traffic for particular ips. > > I will be happy if someone help me.Several things: a) The ipp2p module cannot guarantee that what it classifies as P2P traffic is actually P2P traffic. It uses heuristics and if a packet matches the profile of one of the P2P applications, it returns a match. So from that point of view, unconditionally dropping packets that ipp2p matches is dangerous. b) Dropping packets from TCP connections that have been matched by ipp2p can lead to orphan connections since there is no way for the connection to be cleanly broken if the firewall is dropping all packets that are part of the connection. This can be used as a DOS attack. c) I have been experimenting with the ipp2p module in xtables-addons 1.6 and 1.7; my firewall won''t run 5 minutes before crashing if I insert just a single ipp2p match rule. YMMV. So if you can find a version of ipp2p that is stable on your platform, I recommend using it to restrict the bandwidth used by P2P rather than to try to stop P2P altogether. -Tom ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB
Shorewall Guy wrote:> anebi@iguanait.com wrote: > > c) I have been experimenting with the ipp2p module in xtables-addons 1.6 > and 1.7; my firewall won''t run 5 minutes before crashing if I insert > just a single ipp2p match rule. YMMV.Update: xtables-addons 1.8 was released this morning and includes a buffer underrun fix in xt_ipp2p.c. That, together with the attached patch, are proving to be more stable on my firewall. ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB
> > Several things: > > a) The ipp2p module cannot guarantee that what it classifies as P2P > traffic is actually P2P traffic. It uses heuristics and if a packet > matches the profile of one of the P2P applications, it returns a match. > So from that point of view, unconditionally dropping packets that ipp2p > matches is dangerous. > > b) Dropping packets from TCP connections that have been matched by ipp2p > can lead to orphan connections since there is no way for the connection > to be cleanly broken if the firewall is dropping all packets that are > part of the connection. This can be used as a DOS attack. > > c) I have been experimenting with the ipp2p module in xtables-addons 1.6 > and 1.7; my firewall won''t run 5 minutes before crashing if I insert > just a single ipp2p match rule. YMMV. >I''ve also experimented with the xtables-addons 1.6 version tested it with p2p ( torrent ) traffic however it missed to match any packet. So I''ve just considered it as just being broken. Harry. ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB
Harry Lachanas wrote:>> > I''ve also experimented with the xtables-addons 1.6 version > tested it with p2p ( torrent ) traffic however it missed to match any > packet. > So I''ve just considered it as just being broken.I''ll be interested in hearing how 1.8 works for you. ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB
Thanks for the fast answer. I agree with your answer. The other think that i think that can help to stop this kind of peoples to stop to use p2p is to fix number of connections per ip. I remember that our ISP had limited our number of connection to 40 or something similar and it was difficult to use p2p with this. The speed was low. What is your opinion for this, do you think this can help and if yes, how can realize this? Regards, Ali Nebi! ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB
Ali Nebi wrote:> The other think that i think that can help to stop this kind of peoples > to stop to use p2p is to fix number of connections per ip. I remember > that our ISP had limited our number of connection to 40 or something > similar and it was difficult to use p2p with this. The speed was low. > What is your opinion for this, do you think this can help and if yes, > how can realize this?In Shorewall-perl 4.2.1, we added a CONNLIMIT column to /etc/shorewall/policy. Simply set that limit on your loc->net ACCEPT policy. ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB
Thanks a lot for the information and help. :) Regards, Ali Nebi! On Sun, 2009-01-11 at 09:02 -0800, Shorewall Guy wrote:> Ali Nebi wrote: > > > The other think that i think that can help to stop this kind of peoples > > to stop to use p2p is to fix number of connections per ip. I remember > > that our ISP had limited our number of connection to 40 or something > > similar and it was difficult to use p2p with this. The speed was low. > > What is your opinion for this, do you think this can help and if yes, > > how can realize this? > > In Shorewall-perl 4.2.1, we added a CONNLIMIT column to > /etc/shorewall/policy. Simply set that limit on your loc->net ACCEPT policy.------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB