[email protected] wrote: > Hi, > > we have installed Centos 5 x864_64 with shorewall. > > I compiled today ipp2p and i want to use it with shorewall. I have read > the page for ipp2p on shorewall official site. > > What i want is to drop p2p packages using ipp2p and shorewall, how can > i do that ? > > Behind this server we have a network (192.168.0.1/24). I want to block > possible p2p traffic from this network and maybe to allow this kind of > traffic for particular ips. > > I will be happy if someone help me.
Several things: a) The ipp2p module cannot guarantee that what it classifies as P2P traffic is actually P2P traffic. It uses heuristics and if a packet matches the profile of one of the P2P applications, it returns a match. So from that point of view, unconditionally dropping packets that ipp2p matches is dangerous. b) Dropping packets from TCP connections that have been matched by ipp2p can lead to orphan connections since there is no way for the connection to be cleanly broken if the firewall is dropping all packets that are part of the connection. This can be used as a DOS attack. c) I have been experimenting with the ipp2p module in xtables-addons 1.6 and 1.7; my firewall won't run 5 minutes before crashing if I insert just a single ipp2p match rule. YMMV. So if you can find a version of ipp2p that is stable on your platform, I recommend using it to restrict the bandwidth used by P2P rather than to try to stop P2P altogether. -Tom ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
