Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
ForumsNew Zealand Mobile and WirelessS92A Copyright Act Firewall rules for Openwrt?


103 posts

Master Geek
+1 received by user: 1


Topic # 87719 4-Aug-2011 22:11
Send private message

In a small cafe wifi situation......

Can any geeks suggest the best options for firewall rules to stop an Openwrt router from doing P2P (yes I know this would kill ubuntu.iso downloads as well)

I hear that p2p clients can be set to use port 80 as well, does this mean i'd need to block / proxy the whole interweb to stop P2P?

Thoughts on UDB blocking as a method?

Or just not try, and .....
- have very good t's & c's ready for the court room
- tunnel everytihing to Bolivia or somewhere else without S92A so my Openwrt users can't get me landed in court?
- put more ram in my WRT54G so I can keep all those log files :-)

Thanks
Mac

Create new topic
27137 posts

Uber Geek
+1 received by user: 6578

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 502190 4-Aug-2011 22:48
Send private message

Simple story is you can't block P2P traffic.

3740 posts

Uber Geek
+1 received by user: 2270

Trusted
Spark NZ

  Reply # 502193 4-Aug-2011 22:55
Send private message

sbiddle: Simple story is you can't block P2P traffic.


Chuckle... Yes you can silly!

The only question is how much legitimate traffic are you prepared to block as collateral damage? :-)

Hint, to do a perfect job blocking P2P you'll end up blocking a lot* of non P2P traffic.

Cheers - N

(* - Approximately all)

26 posts

Geek
Inactive user


Reply # 502201 4-Aug-2011 23:24
Send private message

I provide Wi-Fi hotspots and use a firmware that runs on openwrt.
They have settings that are easy to activate on their firmware to block P2P, although I had to make
changes to make it work correctly. They may of fixed this by now.
If you need help visit openwrt website for information.

 

27137 posts

Uber Geek
+1 received by user: 6578

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 502228 5-Aug-2011 07:22
Send private message

MaiTechnoKiwi: I provide Wi-Fi hotspots and use a firmware that runs on openwrt.
They have settings that are easy to activate on their firmware to block P2P, although I had to make
changes to make it work correctly. They may of fixed this by now.
If you need help visit openwrt website for information.

 



open-wrt and most other open source software and devices such as Mikrotik's all have supported l7 filters which have typically been the best way of identifying the shaping P2P traffic. With changes to the protocols used and a move to UDP these are next to useless.

The only way to shape P2P traffic is to identify "good" traffic and prioritise this, while giving everything else a pool. Great in theory but what defines "good" traffic? And how many other apps will you affect?

There is no simple way to block all P2P traffic, and right now without spending massive amount of money on DPI gear (which can also be easily defeated). All the simple ways that used to work are now pretty much ineffective.

Professional yak shaver
1599 posts

Uber Geek
+1 received by user: 8

Trusted
BitSignal
Lifetime subscriber

  Reply # 502296 5-Aug-2011 09:39
Send private message

Indeed. Blocking P2P is nearly impossible. Tried many different solutions (free ones) and got nowhere.

Until we started doing RADIUS accounting of traffic. Each guest (it's a hostel) gets a username/password and a certain amount of traffic (1GB/month, can buy more if necessary) that renews monthly for as long as they stay a guest. We also shape ALL traffic for each user, to ensure bandwidth availability to other guests.

We can then track who's doing what and when.




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown



103 posts

Master Geek
+1 received by user: 1


Reply # 502396 5-Aug-2011 12:30
Send private message

Hi Magu,  :-)

A few questions if you have a mo.....

1. What software / hardware are you using, just names, I'll google the rest :-)

2. Between Sept 1 and the end of the year, your hostel risks getting 1,2,3 strikes under the new law, the law seems uninterested in your guests, but only in you as the main internet routable IP address holder.

Will you just pay the fine and stop offering the service?

It only takes one bit torrent hit out port 80 and your IP will be logged as a pirate.

Cheers
Mac
 

Professional yak shaver
1599 posts

Uber Geek
+1 received by user: 8

Trusted
BitSignal
Lifetime subscriber

  Reply # 502420 5-Aug-2011 13:15
Send private message

macjones: Hi Magu,  :-)

A few questions if you have a mo.....

1. What software / hardware are you using, just names, I'll google the rest :-)

2. Between Sept 1 and the end of the year, your hostel risks getting 1,2,3 strikes under the new law, the law seems uninterested in your guests, but only in you as the main internet routable IP address holder.

Will you just pay the fine and stop offering the service?

It only takes one bit torrent hit out port 80 and your IP will be logged as a pirate.

Cheers
Mac
 


1. pfSense on an old HP tower server with FreeRADIUS and daloRADIUS running on a separate Ubuntu server with my own custom query for data-based tickets (it only does time-based tickets out of the box).

2. Still needs some legal input on this, but the idea is to hold each user responsible for their account. And if the first notification comes, we'll track down who used it and they'll have to face the consequences. Since I'm not a lawyer, I'm unsure how this actually applies to real life.

If a second/third notification comes, we'll probably enter a lock-down mode where no one is allowed access. A bit orwellian, but they have to protect the business as well.




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

3740 posts

Uber Geek
+1 received by user: 2270

Trusted
Spark NZ

  Reply # 502425 5-Aug-2011 13:20
Send private message

magu:

2. Still needs some legal input on this, but the idea is to hold each user responsible for their account. And if the first notification comes, we'll track down who used it and they'll have to face the consequences. Since I'm not a lawyer, I'm unsure how this actually applies to real life.


I'd definitely look into it. My take is that if you wish to be able to pass on responsibility to your end users, you need to fulfil all the obligations of an IPAP yourself.

Read the law

http://www.legislation.govt.nz/act/public/2011/0011/latest/DLM2764327.html#DLM2764329

Cheers - N

956 posts

Ultimate Geek
+1 received by user: 346
Inactive user


  Reply # 502441 5-Aug-2011 14:18
Send private message

A start would be to null route most common public trackers

Otherwise as stated, devices capable of l7 is one of your other options 

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.