David Elze wrote: > Hi, > > I'm trying to block p2p traffic via pf on OpenBSD 3.x. > > Unfortunately, all new p2p-clients are able to use dynamic ports or even > (ab-)use http-ports etc. so blocking well known p2p-ports is not enough.
yep. > Apart from blocking ports I just see two possibilities: > - slow connections down very hard on well known > p2p-ports, so the p2p-clients can connect but > don't get speed at all (still, other dynamic > ports could be used) > - try to look into each datagram and scan for > typical p2p-stuff (what is "typical", this > approach would cost to much computing time) - think outside the traditional box. :) > > Any hints? Unfortunately, I didn't find a lot of stuff regarding this > exept the well known 'iptables-p2p' which is a match module for iptables > but hey, I love pf :-) If there are too many IP addresses and ports to effectively block, maybe look for something else...like, maybe mangle the DNS queries. One tiny little DNS block, and kazaa goes bye-bye. Two, and AIM is blocked. Theoretically, this is a weak solution. However, PRACTICALLY speaking, it's simple and very effective. Other than blocked services opening up alternative entry points, I've not actually seen anyone bypass this system in real life (for example, AOL offered a web-based IM alternative, that required an additional block). It isn't a secure solution, but it seems mighty effective. http://www.holland-consulting.net/tech/imblock.html Nick.
