Can you block programs (like p2p) by protocol examining?

servnov · 10-02-2005, 11:07 AM

Let's say you want to block a p2p network client on your network. You could close down the port it uses, but then the user can change to a different port and still use the program. You could setup a firewall blocking all incoming communication so the client app can't upload, but still should be able to download.

Is it possible to identify the protocol unique to this file-sharing network regardless of ports being used to block it? How do administrators block all p2p tracffic (even bit-torrents) while still allowing ssh, ftp, http, etc?

Mega Man X · 10-02-2005, 02:59 PM

That's a very, very hard thing to do. Worst thing is, new p2p programs automatically search for open ports to connect if the ports they use by default are closed. That means the user not even has to worry about going to preferences and changing the ports. What you could do is:

1 - Add all users you don't want to connect with a p2p, to be part of a given group. Make that group not able to execute p2p executables.

2 - Limit their bandwidth... make them suffer

. Well, not quite. Take a look in Linux Advanced Routing and Traffic Control (LARTC) for solutions for this:

http://www.lartc.org/

Regards!

servnov · 10-02-2005, 03:43 PM

On this hypothetical network there will be ethernet ports open that someone can come up to and plug in a laptop. Would routing all http, ftp traffic thru a proxy server and dening everything not going thru a proxy work? Thanks for the response, I guess protocol examining must be extremely difficult and never done.

imitheos · 10-02-2005, 04:33 PM

There are some projects that do protocol examining.

As Mega Man X it is a difficult thing to do and it depends on the protocol.
Some protocols are easy to find, some are not.

The most active projects are:

Layer 7 packet classifier (http://l7-filter.sourceforge.net/)
IP2P project (http://netfilter.org/patch-o-matic/p...om-extra-ipp2p)

The pages mention which protocols are supported and which are not.
Both have simple iptables match syntax and work ok.

It works ok for me, but i have a small network and the only traffic is eMule, so i don't know how well it works.

But, if you want to do simple bandwidth shaping i guess it should work.

Also, about the thing you said ("You could setup a firewall blocking all incoming communication so the client app can't upload, but still should be able to download.")

You need an incoming connection to download also.

I hope i helped.