Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.



86 posts

Master Geek


Topic # 87719 4-Aug-2011 22:11 Send private message

In a small cafe wifi situation......

Can any geeks suggest the best options for firewall rules to stop an Openwrt router from doing P2P (yes I know this would kill ubuntu.iso downloads as well)

I hear that p2p clients can be set to use port 80 as well, does this mean i'd need to block / proxy the whole interweb to stop P2P?

Thoughts on UDB blocking as a method?

Or just not try, and .....
- have very good t's & c's ready for the court room
- tunnel everytihing to Bolivia or somewhere else without S92A so my Openwrt users can't get me landed in court?
- put more ram in my WRT54G so I can keep all those log files :-)

Thanks
Mac




Create new topic
20774 posts

Uber Geek
+1 received by user: 2126

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 502190 4-Aug-2011 22:48 Send private message

Simple story is you can't block P2P traffic.

2101 posts

Uber Geek
+1 received by user: 613

Trusted
Spark NZ

  Reply # 502193 4-Aug-2011 22:55 Send private message

sbiddle: Simple story is you can't block P2P traffic.


Chuckle... Yes you can silly!

The only question is how much legitimate traffic are you prepared to block as collateral damage? :-)

Hint, to do a perfect job blocking P2P you'll end up blocking a lot* of non P2P traffic.

Cheers - N

(* - Approximately all)

26 posts

Geek
Inactive user


Reply # 502201 4-Aug-2011 23:24 Send private message

I provide Wi-Fi hotspots and use a firmware that runs on openwrt.
They have settings that are easy to activate on their firmware to block P2P, although I had to make
changes to make it work correctly. They may of fixed this by now.
If you need help visit openwrt website for information.

 

20774 posts

Uber Geek
+1 received by user: 2126

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 502228 5-Aug-2011 07:22 Send private message

MaiTechnoKiwi: I provide Wi-Fi hotspots and use a firmware that runs on openwrt.
They have settings that are easy to activate on their firmware to block P2P, although I had to make
changes to make it work correctly. They may of fixed this by now.
If you need help visit openwrt website for information.

 



open-wrt and most other open source software and devices such as Mikrotik's all have supported l7 filters which have typically been the best way of identifying the shaping P2P traffic. With changes to the protocols used and a move to UDP these are next to useless.

The only way to shape P2P traffic is to identify "good" traffic and prioritise this, while giving everything else a pool. Great in theory but what defines "good" traffic? And how many other apps will you affect?

There is no simple way to block all P2P traffic, and right now without spending massive amount of money on DPI gear (which can also be easily defeated). All the simple ways that used to work are now pretty much ineffective.

Professional yak shaver
1562 posts

Uber Geek
+1 received by user: 4

Trusted
BitSignal
Subscriber

  Reply # 502296 5-Aug-2011 09:39 Send private message

Indeed. Blocking P2P is nearly impossible. Tried many different solutions (free ones) and got nowhere.

Until we started doing RADIUS accounting of traffic. Each guest (it's a hostel) gets a username/password and a certain amount of traffic (1GB/month, can buy more if necessary) that renews monthly for as long as they stay a guest. We also shape ALL traffic for each user, to ensure bandwidth availability to other guests.

We can then track who's doing what and when.




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown



86 posts

Master Geek


Reply # 502396 5-Aug-2011 12:30 Send private message

Hi Magu,  :-)

A few questions if you have a mo.....

1. What software / hardware are you using, just names, I'll google the rest :-)

2. Between Sept 1 and the end of the year, your hostel risks getting 1,2,3 strikes under the new law, the law seems uninterested in your guests, but only in you as the main internet routable IP address holder.

Will you just pay the fine and stop offering the service?

It only takes one bit torrent hit out port 80 and your IP will be logged as a pirate.

Cheers
Mac
 

Professional yak shaver
1562 posts

Uber Geek
+1 received by user: 4

Trusted
BitSignal
Subscriber

  Reply # 502420 5-Aug-2011 13:15 Send private message

macjones: Hi Magu,  :-)

A few questions if you have a mo.....

1. What software / hardware are you using, just names, I'll google the rest :-)

2. Between Sept 1 and the end of the year, your hostel risks getting 1,2,3 strikes under the new law, the law seems uninterested in your guests, but only in you as the main internet routable IP address holder.

Will you just pay the fine and stop offering the service?

It only takes one bit torrent hit out port 80 and your IP will be logged as a pirate.

Cheers
Mac
 


1. pfSense on an old HP tower server with FreeRADIUS and daloRADIUS running on a separate Ubuntu server with my own custom query for data-based tickets (it only does time-based tickets out of the box).

2. Still needs some legal input on this, but the idea is to hold each user responsible for their account. And if the first notification comes, we'll track down who used it and they'll have to face the consequences. Since I'm not a lawyer, I'm unsure how this actually applies to real life.

If a second/third notification comes, we'll probably enter a lock-down mode where no one is allowed access. A bit orwellian, but they have to protect the business as well.




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

2101 posts

Uber Geek
+1 received by user: 613

Trusted
Spark NZ

  Reply # 502425 5-Aug-2011 13:20 Send private message

magu:

2. Still needs some legal input on this, but the idea is to hold each user responsible for their account. And if the first notification comes, we'll track down who used it and they'll have to face the consequences. Since I'm not a lawyer, I'm unsure how this actually applies to real life.


I'd definitely look into it. My take is that if you wish to be able to pass on responsibility to your end users, you need to fulfil all the obligations of an IPAP yourself.

Read the law

http://www.legislation.govt.nz/act/public/2011/0011/latest/DLM2764327.html#DLM2764329

Cheers - N


702 posts

Ultimate Geek
+1 received by user: 142


  Reply # 502441 5-Aug-2011 14:18 Send private message

A start would be to null route most common public trackers

Otherwise as stated, devices capable of l7 is one of your other options 

Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Global mode over ? Lets see.....
Created by xpd, last reply by davidrg on 2-Apr-2015 20:50 (55 replies)
Pages... 2 3 4


Semble SIM: compatible handsets
Created by DrDee, last reply by NikT on 2-Apr-2015 16:12 (81 replies)
Pages... 4 5 6


Jeremy Clarkson reported as being sacked from top gear
Created by KiwiNZ, last reply by hashbrown on 1-Apr-2015 23:54 (197 replies)
Pages... 12 13 14


April Fools!
Created by BlueShift, last reply by Mark on 2-Apr-2015 09:46 (46 replies)
Pages... 2 3 4


Surface 3: anyone interested
Created by freitasm, last reply by Dolts on 2-Apr-2015 17:12 (43 replies)
Pages... 2 3


2015 Subaru Outback
Created by Geektastic, last reply by turnin on 2-Apr-2015 20:10 (19 replies)
Pages... 2


Spark blocking MediaFire downloads
Created by BarryQuest, last reply by l43a2 on 31-Mar-2015 21:15 (36 replies)
Pages... 2 3


Tattoos — Are they safe? Do they hurt?
Created by TLD, last reply by TLD on 1-Apr-2015 12:15 (51 replies)
Pages... 2 3 4



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.