[ previous ] [ next ] [ threads ]
 
 From:  Sven Brill <madde at gmx dot net>
 To:  Alex M <radiussupport at lrcommunications dot net>
 Cc:  Monowall Support List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Re: Killing all P2P traffic? How?
 Date:  Fri, 26 Jan 2007 09:52:45 -0500
Austin Montford wrote:
> If your normal rules don't work and you believe they are doing p2p, you
> can try adding them manually to the dhcp server and create a rule for
> them so they go to the p2p pipe. For instance if your normal dhcp range
> is 10-247 and 248-254 reserved for static mappings.  Just create a rule
> that x.x.x.248/29 goes to the p2p pipe.   Sadly this relies on a user
> not noticing what you did, but probably most people wouldn't.  Just an
> idea.
>   
I think we are talking about two different things here.

1) limit or block all p2p traffic
2) figure out the "worst offenders" and either block/slow them down 
completely or have a "talk" with them on an individual basis

number 1 is good if oyu want to control your bandwidth, #2 is good if 
you are paranoid about being linked to illegal activity, i.e. you let 
your neighbors use your connection, they leech movies, and the MPAA 
comes knocking on YOUR door because the IP is linked to YOUR name.

for 1), there were already good suggestions. create two pipes in the 
traffic shaper, not only queues. Add two queues that each go to one of 
the pipes. set one pipe ("good_pipe") to full speed minus, let's say, 
20kbps, the other ("bad_pipe") to 20kbps. create two queues, 
"good_traffic" and "bad_traffic". add the standard traffic (dest 80/tcp, 
443/tcp, 53/udp, small packets, ACK, 110/tcp, etc.) to the "good_queue", 
everything else to "bad_queue". you might have to tweak that, i.e. one 
user might have an SSL based VPN to his office on a wacky port, so add 
that to "good_queue" if someone complains. problem solved - p2p doesn't 
eat your bandwidth, while you are still not a censor, after all, there 
is a lot of legit p2p traffic out there.

for 2), you probably have to set up a radius server and CP, then check 
who consumes a disproportionately high amount of bandwidth. add their 
MAC address to a static IP maping in the DHCP server and either do the 
same thing as above, but put ALL their traffic into "bad_pipe", or go 
and have a talk with them :)

making m0n0wall filter anything above layer 4 will simply not happen, it 
was never made for that, but you could create a fork off m0n0. :) still 
won't solbve all your problems, as a lot of p2p traffic is encrypted 
nowadays.

In all these scenarios, you also need to think about that not all p2p 
traffic is file leeching - Skype, for example, looks nasty on a network, 
but it's mostly used for conversation. Worst case scenario is to move 
everyone to static IPs and give them a fixed-size pipe.


Sven