Monday, August 02, 2010

Re: controlling p2p & bittorrent

> On Sat, 31 Jul 2010 12:21:59 -0500
> green <greenfreedom10@gmail.com> wrote:
>
>> > Steven Piercy wrote at 2010-07-30 12:27 -0500:
>>> > > so couldn't you use the uid of your fw/shaper process and apply
>>> > > the mangle method to all tcp connections through the fw?
>> >
>> > I don't understand. Would not something like that include all
>> > connections? I just want p2p/bittorrent...
> Not if you run the p2p daemon as a specific user ie 'deluge' etc.
> You can also setup a group for all your p2p software to use, which you
> can share to access the files, then use something like
> iptables -A OUTPUT -m owner --gid-owner p2p ....
>
> Of course it's far more useful to be able to match traffic on a router
> between the pc with p2p and the internets, but then its harder to match
> which pkts are p2p. If you trust the machine traffic is coming from
> then you could use xt_owner on the machine generating the traffic to
> accurately mark the p2p pkts then set the TOS bit or something so the
> router can easily identify which pkts are p2p.
> Alternatively if you have control over the box generating the p2p then
> using port based rules would be easier again.

To authenticate network connections across hosts one could use nuFW
(http://www.nufw.org/
http://packages.debian.org/search?keywords=nufw&searchon=names&suite=all&section=main).

> I tried http://l7-filter.sourceforge.net/ without my success, there is
> also http://www.ipp2p.org/ but i think that is no longer maintained and
> I haven't tried it.

That's now in xtables-addons (http://xtables-addons.sourceforge.net/
http://packages.debian.org/search?keywords=xtables-addons&searchon=names&suite=all&section=main)
as module called ipp2p.

> In my experience I've found guessing p2p traffic on simply large udp
> pkts is more successful than these filters, especially now most p2p
> clients support encryption etc.

Best regards

Mart


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/4C56823B.4070101@chello.at

at

No comments:

Post a Comment