On Sat, 31 Jul 2010 12:21:59 -0500 green <[email protected]> wrote:
> Steven Piercy wrote at 2010-07-30 12:27 -0500: > > so couldn't you use the uid of your fw/shaper process and apply > > the mangle method to all tcp connections through the fw? > > I don't understand. Would not something like that include all > connections? I just want p2p/bittorrent... Not if you run the p2p daemon as a specific user ie 'deluge' etc. You can also setup a group for all your p2p software to use, which you can share to access the files, then use something like iptables -A OUTPUT -m owner --gid-owner p2p .... Of course it's far more useful to be able to match traffic on a router between the pc with p2p and the internets, but then its harder to match which pkts are p2p. If you trust the machine traffic is coming from then you could use xt_owner on the machine generating the traffic to accurately mark the p2p pkts then set the TOS bit or something so the router can easily identify which pkts are p2p. Alternatively if you have control over the box generating the p2p then using port based rules would be easier again. I tried http://l7-filter.sourceforge.net/ without my success, there is also http://www.ipp2p.org/ but i think that is no longer maintained and I haven't tried it. In my experience I've found guessing p2p traffic on simply large udp pkts is more successful than these filters, especially now most p2p clients support encryption etc. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
