Re: How can I stop kazaa, edonkey, emule, etc ??

[Mike Lewinski <mike_(_at_)_rockynet_(_dot_)_com>]

Marina Brown wrote:

> At the risk of wasting bandwidth, i too would like very much any
> solutions to block these "protocols".

Don't waste your time looking for a pf solution to this problem.
Those days are gone, and you can thank the makers of kazaa v2
for creating software which deliberately evades policy rules
(both outright blocks or rate-limiting by port). Their P2P
network is more important than anything else on your network.


The remaining solutions I am aware of:

1) As mentioned by others, snort or other IDS.

2) man altq. Here is a very simple config to rate-limit a single abusive
user at 10.10.20.5 to 256K both in and out:

$ cat /etc/altq.conf
interface xl0
conditioner xl0 af1x_cdnr <trtcm 128K 32K 256K 64K <pass><pass><drop>>
        filter xl0 af1x_cdnr 0 0 10.10.20.5 0 0
interface xl1
conditioner xl1 af1x_cdnr <trtcm 128K 32K 256K 64K <pass><pass><drop>>
        filter xl1 af1x_cdnr 10.10.20.5 0 0 0 0

changing the 2nd 'pass' in lines above will drop user to 128K.

The situation is bad and will likely get worse. I know of universities
that are scraping their coffers to buy PacketShapers ($10K USD each AFAIK)
when they really don't have the money for it. I would not recommend going
this route, because it is obvious to me what will happen in the next
version of kazaa- they will encrypt traffic and use tcp/443 by default. If
this scenario comes to pass, the last remaining technical solutions to the
problem will be gone (aside from simple host-based rate-limiting as in
altq.conf above)