I was able to use p2pwall without patching the kernel. I am using Redhat 8.0, I guess the features that p2pwall needs is already compiled with the default kernel that comes with the distribution. I read specifically about the need of the QUEUE target of iptables. Also support for ip_string module in iptables, which is optional.
The installation guide is fairly simple, it involves a few required iptables rules to forward UDP packets to the QUEUE target. In addition, the ftwall daemon needs to be running all the time, to be able to read the UDP packets and determine P2P connections. The ftwall daemon can then fetch the data on the QUEUE target to check whether it's a Kazaa traffic or not.
What I like about p2pwall, is that it comes built-in with the automatic blocking. Once a host is determined to be using Kazaa, it automatically blocks it from accessing the Internet. As I read from the it's documents, it will block all connections, and not on any specific ports, from the host to avoid it from connecting to the Internet. Plus, it will continuously send a "ping" type UDP message to the Host. I think it sends a "ping" like request to the Kazaa port 1214 of the host. Maybe kazza client listens to this port for request from others users in the Kazaa network. Only when it will not receive any response when the block is lifted. So this means, the user can't access the Internet while the Kazaa client is running. After the Kazaa client is closed, probably in a few minutes the user will be able to use the Internet again. Very handy if you want to punish violators. Hehe. :)
If you are curious on which UDP ports the Kazaa client will use to find the p2p servers, try using a rule that matches UDP connections from your internal network to the Internet. Then run Kazaa client on one of the computers, and you'll notice that Kazaa will try to connect to a lot of ports and to a lot IP addresses in the Internet. So it's futile if you just want to block certain ports. You'll need ftwall or other related tools to seriously block Kazaa. :)
BTW, I've only tried this on Kazaa and Kazaa lite, they have a few listed protocols that ftwall has been tested on:
Kazaa 2.1.1 and 2.5-beta2 Kazaa Lite 2.0.2 iMesh 4.1 build 132 Grokster 1.7
You can find more info in http://www.lowth.com/p2pwall/ftwall/
Also, to further control bandwidth usage and access, try using a more preventive rules in your iptables. Perhaps, allowing masquerade to only a few ports. And for the web, use squid with delay pools, this way you can limit how much bandwidth the users' use. Then setup squid as a transparent proxy on all outgoing port 80, include 3128 and 8080 as well, to prevent users from overriding your proxy server and connecting to other servers on the Internet.
You may also want to use Dansguardian, if you want more control. I've tried Dansguardian once, and it almost blocks all the website I tried to access. Probably it's been designed to be used in a very restricted environment. You can always changed it's blocking rules and configuration, which are a lot, to suit your needs. There's just a lot of files to edit and a lot of keywords to consider. Hehe. :)
Try ftwall, perhaps it's the answer to minimizing p2p traffic. Also, you might want to download a ready-made iptables script, that contains a lot of rules to give you an idea on how to maximize the use of iptables. Try this, I've used this together with ftwall:
http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/
There's not much documentation on iptables there, you might also want to try www.netfilter.org
I read the docs, you can also use the ip_string module, I haven't tried using it though, as tinkering the kernel on a production environment is a big no-no. :)
I hope that helps. :)
Thanks!
Mark
At 04:18 PM 9/16/2003 +0800, you wrote:
Problem with p2pwall is that you still need to patch the kernel and use experimental iptables rules. The snort and iptables script combination, IMHO is much simpler.
On Tue, 2003-09-16 at 16:12, Holgado, Pedro wrote: > Try the P2PWALL project > <http://www.lowth.com/p2pwall/>http://www.lowth.com/p2pwall/
--
Philippine Linux Users' Group (PLUG) Mailing List
[EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
Official Website: <http://plug.linux.org.ph>http://plug.linux.org.ph
Searchable Archives: <http://marc.free.net.ph>http://marc.free.net.ph
.
To leave, go to <http://lists.q-linux.com/mailman/listinfo/plug>http://lists.q-linux.com/mailman/listinfo/plug
.
Are you a Linux newbie? To join the newbie list, go to
<http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie>http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- CEVOR.com - http://www.cevor.com
Mark John Buenconsejo [EMAIL PROTECTED] phone: +639177542463
-- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
