Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Buying anything on Amazon? Please use the Geekzone Amazon aff link.




86 posts

Master Geek


Topic # 87719 4-Aug-2011 22:11 Send private message

In a small cafe wifi situation......

Can any geeks suggest the best options for firewall rules to stop an Openwrt router from doing P2P (yes I know this would kill ubuntu.iso downloads as well)

I hear that p2p clients can be set to use port 80 as well, does this mean i'd need to block / proxy the whole interweb to stop P2P?

Thoughts on UDB blocking as a method?

Or just not try, and .....
- have very good t's & c's ready for the court room
- tunnel everytihing to Bolivia or somewhere else without S92A so my Openwrt users can't get me landed in court?
- put more ram in my WRT54G so I can keep all those log files :-)

Thanks
Mac




Create new topic
20101 posts

Uber Geek
+1 received by user: 1686

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 502190 4-Aug-2011 22:48 Send private message

Simple story is you can't block P2P traffic.

1937 posts

Uber Geek
+1 received by user: 473

Trusted
Spark NZ

  Reply # 502193 4-Aug-2011 22:55 Send private message

sbiddle: Simple story is you can't block P2P traffic.


Chuckle... Yes you can silly!

The only question is how much legitimate traffic are you prepared to block as collateral damage? :-)

Hint, to do a perfect job blocking P2P you'll end up blocking a lot* of non P2P traffic.

Cheers - N

(* - Approximately all)

26 posts

Geek
Inactive user


Reply # 502201 4-Aug-2011 23:24 Send private message

I provide Wi-Fi hotspots and use a firmware that runs on openwrt.
They have settings that are easy to activate on their firmware to block P2P, although I had to make
changes to make it work correctly. They may of fixed this by now.
If you need help visit openwrt website for information.

 

20101 posts

Uber Geek
+1 received by user: 1686

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 502228 5-Aug-2011 07:22 Send private message

MaiTechnoKiwi: I provide Wi-Fi hotspots and use a firmware that runs on openwrt.
They have settings that are easy to activate on their firmware to block P2P, although I had to make
changes to make it work correctly. They may of fixed this by now.
If you need help visit openwrt website for information.

 



open-wrt and most other open source software and devices such as Mikrotik's all have supported l7 filters which have typically been the best way of identifying the shaping P2P traffic. With changes to the protocols used and a move to UDP these are next to useless.

The only way to shape P2P traffic is to identify "good" traffic and prioritise this, while giving everything else a pool. Great in theory but what defines "good" traffic? And how many other apps will you affect?

There is no simple way to block all P2P traffic, and right now without spending massive amount of money on DPI gear (which can also be easily defeated). All the simple ways that used to work are now pretty much ineffective.

Professional yak shaver
1564 posts

Uber Geek
+1 received by user: 4

Trusted
BitSignal
Subscriber

  Reply # 502296 5-Aug-2011 09:39 Send private message

Indeed. Blocking P2P is nearly impossible. Tried many different solutions (free ones) and got nowhere.

Until we started doing RADIUS accounting of traffic. Each guest (it's a hostel) gets a username/password and a certain amount of traffic (1GB/month, can buy more if necessary) that renews monthly for as long as they stay a guest. We also shape ALL traffic for each user, to ensure bandwidth availability to other guests.

We can then track who's doing what and when.




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown



86 posts

Master Geek


Reply # 502396 5-Aug-2011 12:30 Send private message

Hi Magu,  :-)

A few questions if you have a mo.....

1. What software / hardware are you using, just names, I'll google the rest :-)

2. Between Sept 1 and the end of the year, your hostel risks getting 1,2,3 strikes under the new law, the law seems uninterested in your guests, but only in you as the main internet routable IP address holder.

Will you just pay the fine and stop offering the service?

It only takes one bit torrent hit out port 80 and your IP will be logged as a pirate.

Cheers
Mac
 

Professional yak shaver
1564 posts

Uber Geek
+1 received by user: 4

Trusted
BitSignal
Subscriber

  Reply # 502420 5-Aug-2011 13:15 Send private message

macjones: Hi Magu,  :-)

A few questions if you have a mo.....

1. What software / hardware are you using, just names, I'll google the rest :-)

2. Between Sept 1 and the end of the year, your hostel risks getting 1,2,3 strikes under the new law, the law seems uninterested in your guests, but only in you as the main internet routable IP address holder.

Will you just pay the fine and stop offering the service?

It only takes one bit torrent hit out port 80 and your IP will be logged as a pirate.

Cheers
Mac
 


1. pfSense on an old HP tower server with FreeRADIUS and daloRADIUS running on a separate Ubuntu server with my own custom query for data-based tickets (it only does time-based tickets out of the box).

2. Still needs some legal input on this, but the idea is to hold each user responsible for their account. And if the first notification comes, we'll track down who used it and they'll have to face the consequences. Since I'm not a lawyer, I'm unsure how this actually applies to real life.

If a second/third notification comes, we'll probably enter a lock-down mode where no one is allowed access. A bit orwellian, but they have to protect the business as well.




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

1937 posts

Uber Geek
+1 received by user: 473

Trusted
Spark NZ

  Reply # 502425 5-Aug-2011 13:20 Send private message

magu:

2. Still needs some legal input on this, but the idea is to hold each user responsible for their account. And if the first notification comes, we'll track down who used it and they'll have to face the consequences. Since I'm not a lawyer, I'm unsure how this actually applies to real life.


I'd definitely look into it. My take is that if you wish to be able to pass on responsibility to your end users, you need to fulfil all the obligations of an IPAP yourself.

Read the law

http://www.legislation.govt.nz/act/public/2011/0011/latest/DLM2764327.html#DLM2764329

Cheers - N


647 posts

Ultimate Geek
+1 received by user: 107


  Reply # 502441 5-Aug-2011 14:18 Send private message

A start would be to null route most common public trackers

Otherwise as stated, devices capable of l7 is one of your other options 

Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Gigatown winner town and plans
Created by freitasm, last reply by joker97 on 26-Nov-2014 20:25 (36 replies)
Pages... 2 3


Click Monday Deals
Created by mrtoken, last reply by Krishant007 on 24-Nov-2014 17:11 (25 replies)
Pages... 2


Gull Employment Dispute.
Created by networkn, last reply by Geektastic on 26-Nov-2014 16:35 (142 replies)
Pages... 8 9 10


The Warehouse pulling R18 games and DVD's
Created by semigeek, last reply by mattwnz on 26-Nov-2014 16:13 (56 replies)
Pages... 2 3 4


HP Stream 7 arrives
Created by gnfb, last reply by nathan on 26-Nov-2014 17:11 (17 replies)
Pages... 2


Letter from Vodafone Speed Decrease WTF
Created by rokki, last reply by rokki on 26-Nov-2014 20:31 (16 replies)
Pages... 2


Playing with G.722 HD Voice
Created by aw, last reply by aw on 26-Nov-2014 20:26 (13 replies)

Lollipop no more
Created by ronw, last reply by kiwitrc on 26-Nov-2014 13:44 (13 replies)


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.