S92A Copyright Act Firewall rules for Openwrt?

Forums › New Zealand Mobile and Wireless › S92A Copyright Act Firewall rules for Openwrt?

macjones

106 posts

Master Geek

#87719 4-Aug-2011 22:11

In a small cafe wifi situation......

Can any geeks suggest the best options for firewall rules to stop an Openwrt router from doing P2P (yes I know this would kill ubuntu.iso downloads as well)

I hear that p2p clients can be set to use port 80 as well, does this mean i'd need to block / proxy the whole interweb to stop P2P?

Thoughts on UDB blocking as a method?

Or just not try, and .....
- have very good t's & c's ready for the court room
- tunnel everytihing to Bolivia or somewhere else without S92A so my Openwrt users can't get me landed in court?
- put more ram in my WRT54G so I can keep all those log files :-)

Thanks
Mac

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#502190 4-Aug-2011 22:48

Simple story is you can't block P2P traffic.

Talkiet

4793 posts

Uber Geek

Trusted

#502193 4-Aug-2011 22:55

sbiddle: Simple story is you can't block P2P traffic.

Chuckle... Yes you can silly!

The only question is how much legitimate traffic are you prepared to block as collateral damage? :-)

Hint, to do a perfect job blocking P2P you'll end up blocking a lot* of non P2P traffic.

Cheers - N

(* - Approximately all)

Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

MaiTechnoKiwi

26 posts

Geek
Inactive user

#502201 4-Aug-2011 23:24

I provide Wi-Fi hotspots and use a firmware that runs on openwrt.
They have settings that are easy to activate on their firmware to block P2P, although I had to make
changes to make it work correctly. They may of fixed this by now.
If you need help visit openwrt website for information.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#502228 5-Aug-2011 07:22

MaiTechnoKiwi: I provide Wi-Fi hotspots and use a firmware that runs on openwrt.
They have settings that are easy to activate on their firmware to block P2P, although I had to make
changes to make it work correctly. They may of fixed this by now.
If you need help visit openwrt website for information.

open-wrt and most other open source software and devices such as Mikrotik's all have supported l7 filters which have typically been the best way of identifying the shaping P2P traffic. With changes to the protocols used and a move to UDP these are next to useless.

The only way to shape P2P traffic is to identify "good" traffic and prioritise this, while giving everything else a pool. Great in theory but what defines "good" traffic? And how many other apps will you affect?

There is no simple way to block all P2P traffic, and right now without spending massive amount of money on DPI gear (which can also be easily defeated). All the simple ways that used to work are now pretty much ineffective.

magu

Professional yak shaver
1599 posts

Uber Geek

Trusted

BitSignal

Lifetime subscriber

#502296 5-Aug-2011 09:39

Indeed. Blocking P2P is nearly impossible. Tried many different solutions (free ones) and got nowhere.

Until we started doing RADIUS accounting of traffic. Each guest (it's a hostel) gets a username/password and a certain amount of traffic (1GB/month, can buy more if necessary) that renews monthly for as long as they stay a guest. We also shape ALL traffic for each user, to ensure bandwidth availability to other guests.

We can then track who's doing what and when.

"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

macjones

106 posts

Master Geek

#502396 5-Aug-2011 12:30

Hi Magu, :-)

A few questions if you have a mo.....

1. What software / hardware are you using, just names, I'll google the rest :-)

2. Between Sept 1 and the end of the year, your hostel risks getting 1,2,3 strikes under the new law, the law seems uninterested in your guests, but only in you as the main internet routable IP address holder.

Will you just pay the fine and stop offering the service?

It only takes one bit torrent hit out port 80 and your IP will be logged as a pirate.

Cheers
Mac

magu

Professional yak shaver
1599 posts

Uber Geek

Trusted

BitSignal

Lifetime subscriber

#502420 5-Aug-2011 13:15

macjones: Hi Magu, :-)

A few questions if you have a mo.....

1. What software / hardware are you using, just names, I'll google the rest :-)

2. Between Sept 1 and the end of the year, your hostel risks getting 1,2,3 strikes under the new law, the law seems uninterested in your guests, but only in you as the main internet routable IP address holder.

Will you just pay the fine and stop offering the service?

It only takes one bit torrent hit out port 80 and your IP will be logged as a pirate.

Cheers
Mac

1. pfSense on an old HP tower server with FreeRADIUS and daloRADIUS running on a separate Ubuntu server with my own custom query for data-based tickets (it only does time-based tickets out of the box).

2. Still needs some legal input on this, but the idea is to hold each user responsible for their account. And if the first notification comes, we'll track down who used it and they'll have to face the consequences. Since I'm not a lawyer, I'm unsure how this actually applies to real life.

If a second/third notification comes, we'll probably enter a lock-down mode where no one is allowed access. A bit orwellian, but they have to protect the business as well.

"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

Talkiet

4793 posts

Uber Geek

Trusted

#502425 5-Aug-2011 13:20

magu:

2. Still needs some legal input on this, but the idea is to hold each user responsible for their account. And if the first notification comes, we'll track down who used it and they'll have to face the consequences. Since I'm not a lawyer, I'm unsure how this actually applies to real life.

I'd definitely look into it. My take is that if you wish to be able to pass on responsibility to your end users, you need to fulfil all the obligations of an IPAP yourself.

Read the law

http://www.legislation.govt.nz/act/public/2011/0011/latest/DLM2764327.html#DLM2764329

Cheers - N

Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

JamesL

956 posts

Ultimate Geek
Inactive user

#502441 5-Aug-2011 14:18

A start would be to null route most common public trackers

Otherwise as stated, devices capable of l7 is one of your other options