[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How can I stop kazaa, edonkey, emule, etc ??
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: How can I stop kazaa, edonkey, emule, etc ??
- From: Mike Lewinski <mike_(_at_)_rockynet_(_dot_)_com>
- Date: Wed, 11 Dec 2002 17:05:25 -0700
Marina Brown wrote:
At the risk of wasting bandwidth, i too would like very much any
solutions to block these "protocols".
Don't waste your time looking for a pf solution to this problem.
Those days are gone, and you can thank the makers of kazaa v2
for creating software which deliberately evades policy rules
(both outright blocks or rate-limiting by port). Their P2P
network is more important than anything else on your network.
The remaining solutions I am aware of:
1) As mentioned by others, snort or other IDS.
2) man altq. Here is a very simple config to rate-limit a single abusive
user at 10.10.20.5 to 256K both in and out:
$ cat /etc/altq.conf
conditioner xl0 af1x_cdnr <trtcm 128K 32K 256K 64K <pass><pass><drop>>
filter xl0 af1x_cdnr 0 0 10.10.20.5 0 0
conditioner xl1 af1x_cdnr <trtcm 128K 32K 256K 64K <pass><pass><drop>>
filter xl1 af1x_cdnr 10.10.20.5 0 0 0 0
changing the 2nd 'pass' in lines above will drop user to 128K.
The situation is bad and will likely get worse. I know of universities
that are scraping their coffers to buy PacketShapers ($10K USD each AFAIK)
when they really don't have the money for it. I would not recommend going
this route, because it is obvious to me what will happen in the next
version of kazaa- they will encrypt traffic and use tcp/443 by default. If
this scenario comes to pass, the last remaining technical solutions to the
problem will be gone (aside from simple host-based rate-limiting as in