On Mon, 2003-06-23 at 08:29, Peter Hunčŕ wrote: > I have the following problem. I'm supposed to manage a dormitory LAN, > with approx. 200 windoze computers. It works fine, I'm using OpenBSD > 3.3 as a Firewall and NAT, but... > > -------- 100Mbit --------- dc0 [OpenBSD 3.3/FW/NAT] dc1 ------- LAN > 192.168.0.0/24 > > As you see, we have a pretty fast internet connection. And that's the > problem. Students keep using peer to peer software > and you can imagine the traffic. Fortunatelly, our provider won't shape > the line unless we manage the traffic. Actually, the traffic is not the > problem, but the services. (content of the trasported data :) > warez/mp3/divx ) So I blocked everything by default (outbound) and > allowed only some certain ports. > As a result, every day I get bunch of emails, that I should enable a > particular stream radio, instant messenger, online library or whatewer > :( > Is it anyhow possible, for current allowed ports, to use all the > bandwidth and to keep everything else at let's say 2Mbit? Inbound and > outbound.
The problem lies in your interpretation of "allowed ports". Software like kazaa is able to connect through port 80. I would suggest a layered approach to the problem. - Deny all outbound by default (done) - Transparent web proxy - Transparent ftp proxy - Allow known good ports outbound - Use QoS to perform traffic shaping on a service- or IP-based queue, possibly in conjunction with... - Authpf. Require your users to ssh authenticate, then load up custom rules with altq to limit their queues based on $user_ip There are other ways, but this should be a good start. A big problem is that we have to trust that known port == known service, and this just isn't the case anymore. With p2p stuff like Kazaa using whatever port it wishes, we have to clamp down on a per-user basis. Linux/netfilter recently released a patch to allow layer7 filtering (allowing you to see kazaa packets in a port 80 stream, for example), but I wouldn't expect to see it in PF. > I've tried something using altq/pf but without achieving all the > objectives. :( HTH. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
