Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


macjones

106 posts

Master Geek


#87719 4-Aug-2011 22:11
Send private message

In a small cafe wifi situation......

Can any geeks suggest the best options for firewall rules to stop an Openwrt router from doing P2P (yes I know this would kill ubuntu.iso downloads as well)

I hear that p2p clients can be set to use port 80 as well, does this mean i'd need to block / proxy the whole interweb to stop P2P?

Thoughts on UDB blocking as a method?

Or just not try, and .....
- have very good t's & c's ready for the court room
- tunnel everytihing to Bolivia or somewhere else without S92A so my Openwrt users can't get me landed in court?
- put more ram in my WRT54G so I can keep all those log files :-)

Thanks
Mac




Create new topic
sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #502190 4-Aug-2011 22:48
Send private message

Simple story is you can't block P2P traffic.



Talkiet
4793 posts

Uber Geek

Trusted

  #502193 4-Aug-2011 22:55
Send private message

sbiddle: Simple story is you can't block P2P traffic.


Chuckle... Yes you can silly!

The only question is how much legitimate traffic are you prepared to block as collateral damage? :-)

Hint, to do a perfect job blocking P2P you'll end up blocking a lot* of non P2P traffic.

Cheers - N

(* - Approximately all)




Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.


MaiTechnoKiwi
26 posts

Geek
Inactive user


#502201 4-Aug-2011 23:24
Send private message

I provide Wi-Fi hotspots and use a firmware that runs on openwrt.
They have settings that are easy to activate on their firmware to block P2P, although I had to make
changes to make it work correctly. They may of fixed this by now.
If you need help visit openwrt website for information.

 



sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #502228 5-Aug-2011 07:22
Send private message

MaiTechnoKiwi: I provide Wi-Fi hotspots and use a firmware that runs on openwrt.
They have settings that are easy to activate on their firmware to block P2P, although I had to make
changes to make it work correctly. They may of fixed this by now.
If you need help visit openwrt website for information.

 



open-wrt and most other open source software and devices such as Mikrotik's all have supported l7 filters which have typically been the best way of identifying the shaping P2P traffic. With changes to the protocols used and a move to UDP these are next to useless.

The only way to shape P2P traffic is to identify "good" traffic and prioritise this, while giving everything else a pool. Great in theory but what defines "good" traffic? And how many other apps will you affect?

There is no simple way to block all P2P traffic, and right now without spending massive amount of money on DPI gear (which can also be easily defeated). All the simple ways that used to work are now pretty much ineffective.

magu
Professional yak shaver
1599 posts

Uber Geek

Trusted
BitSignal
Lifetime subscriber

  #502296 5-Aug-2011 09:39
Send private message

Indeed. Blocking P2P is nearly impossible. Tried many different solutions (free ones) and got nowhere.

Until we started doing RADIUS accounting of traffic. Each guest (it's a hostel) gets a username/password and a certain amount of traffic (1GB/month, can buy more if necessary) that renews monthly for as long as they stay a guest. We also shape ALL traffic for each user, to ensure bandwidth availability to other guests.

We can then track who's doing what and when.




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

macjones

106 posts

Master Geek


#502396 5-Aug-2011 12:30
Send private message

Hi Magu,  :-)

A few questions if you have a mo.....

1. What software / hardware are you using, just names, I'll google the rest :-)

2. Between Sept 1 and the end of the year, your hostel risks getting 1,2,3 strikes under the new law, the law seems uninterested in your guests, but only in you as the main internet routable IP address holder.

Will you just pay the fine and stop offering the service?

It only takes one bit torrent hit out port 80 and your IP will be logged as a pirate.

Cheers
Mac
 

magu
Professional yak shaver
1599 posts

Uber Geek

Trusted
BitSignal
Lifetime subscriber

  #502420 5-Aug-2011 13:15
Send private message

macjones: Hi Magu,  :-)

A few questions if you have a mo.....

1. What software / hardware are you using, just names, I'll google the rest :-)

2. Between Sept 1 and the end of the year, your hostel risks getting 1,2,3 strikes under the new law, the law seems uninterested in your guests, but only in you as the main internet routable IP address holder.

Will you just pay the fine and stop offering the service?

It only takes one bit torrent hit out port 80 and your IP will be logged as a pirate.

Cheers
Mac
 


1. pfSense on an old HP tower server with FreeRADIUS and daloRADIUS running on a separate Ubuntu server with my own custom query for data-based tickets (it only does time-based tickets out of the box).

2. Still needs some legal input on this, but the idea is to hold each user responsible for their account. And if the first notification comes, we'll track down who used it and they'll have to face the consequences. Since I'm not a lawyer, I'm unsure how this actually applies to real life.

If a second/third notification comes, we'll probably enter a lock-down mode where no one is allowed access. A bit orwellian, but they have to protect the business as well.




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

 
 
 

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.
Talkiet
4793 posts

Uber Geek

Trusted

  #502425 5-Aug-2011 13:20
Send private message

magu:

2. Still needs some legal input on this, but the idea is to hold each user responsible for their account. And if the first notification comes, we'll track down who used it and they'll have to face the consequences. Since I'm not a lawyer, I'm unsure how this actually applies to real life.


I'd definitely look into it. My take is that if you wish to be able to pass on responsibility to your end users, you need to fulfil all the obligations of an IPAP yourself.

Read the law

http://www.legislation.govt.nz/act/public/2011/0011/latest/DLM2764327.html#DLM2764329

Cheers - N





Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.


JamesL
956 posts

Ultimate Geek
Inactive user


  #502441 5-Aug-2011 14:18
Send private message

A start would be to null route most common public trackers

Otherwise as stated, devices capable of l7 is one of your other options 

Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.