On Tue, 11 Oct 2005 20:24:01 -0400, Nick Holland wrote: >David Elze wrote: >> Hi, >> >> I'm trying to block p2p traffic via pf on OpenBSD 3.x. >> >> Unfortunately, all new p2p-clients are able to use dynamic ports or even >> (ab-)use http-ports etc. so blocking well known p2p-ports is not enough. > >yep. > >> Apart from blocking ports I just see two possibilities: >> - slow connections down very hard on well known >> p2p-ports, so the p2p-clients can connect but >> don't get speed at all (still, other dynamic >> ports could be used) >> - try to look into each datagram and scan for >> typical p2p-stuff (what is "typical", this >> approach would cost to much computing time) > > - think outside the traditional box. :) > >> >> Any hints? Unfortunately, I didn't find a lot of stuff regarding this >> exept the well known 'iptables-p2p' which is a match module for iptables >> but hey, I love pf :-) > >If there are too many IP addresses and ports to effectively block, maybe >look for something else...like, maybe mangle the DNS queries. One tiny >little DNS block, and kazaa goes bye-bye. Two, and AIM is blocked. > >Theoretically, this is a weak solution. However, PRACTICALLY speaking, >it's simple and very effective. Other than blocked services opening up >alternative entry points, I've not actually seen anyone bypass this >system in real life (for example, AOL offered a web-based IM >alternative, that required an additional block). It isn't a secure >solution, but it seems mighty effective. > > http://www.holland-consulting.net/tech/imblock.html > >Nick. > >
dsniff (IIRC a package, certainly a port) contains dnsspoof that will easily let you return 127.0.0.1 as the address for any wildcarded hostname you put in its dnsspoof.hosts file. A certain teenager next door was bewildered about what happened to Kazaa......... Just install dsniff on your gateway and edit the file and shazam! BTW HUPping dnsspoof appears to have it not reread the hostlist. I use a script to pkill it and restart it. >From the land "down under": Australia. Do we look <umop apisdn> from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
