p2p: any suggestion?

p2p: any suggestion?

am 28.04.2005 19:28:49 von Luca Ferrari

Dear admins,
I've got a network of mine with a quite standard and simple configuration: a
linux firewall with iptables and squid as web proxy. Now I'm fighting against
p2p, and using the ipt_p2p and ipt_ipp2p modules I blocked p2p, until my
users start using the proxy as a way to use p2p. My proxy has a simple rule
mechanism, that deny access selecting source ips and mac address at the same
time, but since a few users (like the boss) are unlocked, a few users start
changing their ip/mac address in order to get unconditioned access. Now the
question, as yuo can see, is: how can I block them? I found that using the
browser rule in squid I can block p2p http headers, but other programs like
microsoft money or antivirus update (avg) cannot work no more. Has anyone did
tis before? Any suggestion to definetively block this? Could dhcp solve the
problem, locking a mac to a specific ip and thus denying the ip/mac changes?

Thanks,
Luca
--
Luca Ferrari,
fluca1978@infinito.it
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: p2p: any suggestion?

am 28.04.2005 22:39:28 von Glynn Clements

Luca Ferrari wrote:

> I've got a network of mine with a quite standard and simple configuration: a
> linux firewall with iptables and squid as web proxy. Now I'm fighting against
> p2p, and using the ipt_p2p and ipt_ipp2p modules I blocked p2p, until my
> users start using the proxy as a way to use p2p. My proxy has a simple rule
> mechanism, that deny access selecting source ips and mac address at the same
> time, but since a few users (like the boss) are unlocked, a few users start
> changing their ip/mac address in order to get unconditioned access. Now the
> question, as yuo can see, is: how can I block them? I found that using the
> browser rule in squid I can block p2p http headers, but other programs like
> microsoft money or antivirus update (avg) cannot work no more. Has anyone did
> tis before? Any suggestion to definetively block this?

Either:

a) require users to connect to the proxy via a VPN which requires
authentication, or

b) use intelligent switches which allow you to lock ports to a
specific MAC address.

Option b) requires buying new hardware, but it is transparent to the
user.

> Could dhcp solve the problem, locking a mac to a specific ip and
> thus denying the ip/mac changes?

Not if users can change their MAC addresses.

--
Glynn Clements
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html