[K12OSN] OT: Stopping P2P sharing
"Terrell Prudé Jr."
microman at cmosnetworks.com
Fri Apr 20 14:51:41 UTC 2007
Nils Breunese wrote:
> Peter Scheie wrote:
>
>> I think you'll have to elaborate on what you want to prevent. Using
>> a web browser is 'file sharing', as is much of computer
>> communication, in that the user's computer requests a file, in this
>> case an html file, from another computer, the web server.
>>
>> If you're talking about bittorrent traffic, you could block ports
>> 6881-6999 on your external firewall.
>
> Though that won't really block all BitTorrent as it's pretty easy to
> set the port you want to use in the BitTorrent client. I use 16881
> myself for instance. Probably better to block *all* ports by default
> and only open up the ones that are really needed.
>
> Nils Breunese.
>
With BitTorrent, it's worse. Remember that we now have not just
encrypted BitTorrent, but port-hopping BitTorrent. We have to deal with
this, too. Your BitTorrent client finds that can't talk on its
"regular" ports (TCP 6881-6999)? Azureus, among others, will randomly
port-hop *and* encrypt, specifically to defeat both firewalls *and*
protocol analyzers. It's very effective.
We "stop" it at the Internet gateway, and we do it with a fairly strict
"this is what's 'allowed' outbound" policy. We use a Packeteer to shape
everything but TCP 80, TCP 443, and certain other TCP/UDP ports down to,
maybe, 10Kb/sec. Thus, when Azureus goes a-port-hoppin, fine! It's
limited to 10Kb...shared by EVERYONE. Meanwhile, TCP 80, TCP 443, etc.
work at normal multi-megabit speed. Yes, it's a dirty, sneaky, nasty
trick...and it works really well.
You could do the same thing with a Linux or OpenBSD gateway. A little
iptables/pf QoS magic is all you need.
--TP
_______________________________
Do you GNU!?
Microsoft Free since 2003 <http://www.gnu.org/>--the ultimate antivirus
protection!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/k12osn/attachments/20070420/0b111723/attachment.htm>
More information about the K12OSN
mailing list