[K12OSN] OT: Stopping P2P sharing

["Terrell Prudé Jr."]

Nils Breunese wrote:
> Peter Scheie wrote:
>
>> I think you'll have to elaborate on what you want to prevent.  Using
>> a web browser is 'file sharing', as is much of computer
>> communication, in that the user's computer requests a file, in this
>> case an html file, from another computer, the web server.
>>
>> If you're talking about bittorrent traffic, you could block ports
>> 6881-6999 on your external firewall.
>
> Though that won't really block all BitTorrent as it's pretty easy to
> set the port you want to use in the BitTorrent client. I use 16881
> myself for instance. Probably better to block *all* ports by default
> and only open up the ones that are really needed.
>
> Nils Breunese.
>

With BitTorrent, it's worse.  Remember that we now have not just
encrypted BitTorrent, but port-hopping BitTorrent.  We have to deal with
this, too.  Your BitTorrent client finds that can't talk on its
"regular" ports (TCP 6881-6999)?  Azureus, among others, will randomly
port-hop *and* encrypt, specifically to defeat both firewalls *and*
protocol analyzers.  It's very effective.

We "stop" it at the Internet gateway, and we do it with a fairly strict
"this is what's 'allowed' outbound" policy.  We use a Packeteer to shape
everything but TCP 80, TCP 443, and certain other TCP/UDP ports down to,
maybe, 10Kb/sec.  Thus, when Azureus goes a-port-hoppin, fine!  It's
limited to 10Kb...shared by EVERYONE.  Meanwhile, TCP 80, TCP 443, etc.
work at normal multi-megabit speed.  Yes, it's a dirty, sneaky, nasty
trick...and it works really well.

You could do the same thing with a Linux or OpenBSD gateway.  A little
iptables/pf QoS magic is all you need.

--TP
_______________________________
Do you GNU!?
Microsoft Free since 2003 <http://www.gnu.org/>--the ultimate antivirus
protection!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/k12osn/attachments/20070420/0b111723/attachment.htm>