> > Several things: > > a) The ipp2p module cannot guarantee that what it classifies as P2P > traffic is actually P2P traffic. It uses heuristics and if a packet > matches the profile of one of the P2P applications, it returns a match. > So from that point of view, unconditionally dropping packets that ipp2p > matches is dangerous. > > b) Dropping packets from TCP connections that have been matched by ipp2p > can lead to orphan connections since there is no way for the connection > to be cleanly broken if the firewall is dropping all packets that are > part of the connection. This can be used as a DOS attack. > > c) I have been experimenting with the ipp2p module in xtables-addons 1.6 > and 1.7; my firewall won't run 5 minutes before crashing if I insert > just a single ipp2p match rule. YMMV. > I've also experimented with the xtables-addons 1.6 version tested it with p2p ( torrent ) traffic however it missed to match any packet. So I've just considered it as just being broken.
Harry. ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
