# P2P problem on a network

## ToeiRei

Hello folks,

I have the supreme job of administrating the network of a catholic girls home (age 17+). They got a gentoo server there and many not that 'catholic behaving' users. The gentoo server does the firewalling (NAT) and some other not that important jobs like a webserver.

I guess I don't need to go into detail of what the girls are doing online - fact is, P2P is a HUGE issue there and I would need to reduce their P2P usage by force. Attempts so far were quite simple:

1) informative notes at the blackboard

This was the administrative part which got perfectly ignored.

2) If a PC got hundreds of parallel connections, IP got blocked

That way the user was forced to come to the office and the PC was inspected. I guess no need to explain that we saw many P2P apps (including some movies - mostly about the demonstration of human reproduction procedures)

Fact is, that if at least 2 users are firing up their P2P stuff, you cannot even SSH into the box and I am blocking at least 1 IP / day but they never learn. Also for legal issues that might come I would need to make P2P uninteresting here but allow SIP apps and Skype - so I run out of ideas.

Layer 7 filtering? A Squid Proxy with content inspection? What about encrypted P2P stuff?

----------

## gerdesj

Well you have discovered the joys of being a sysadmin.

May I suggest the following:

Approach your management and discuss the issues with them - "our internet connection is being made useless by inappropriate or otherwise usage".   You might point out that at the present you have a free for all approach to internet access which is unworkable and also may well be in breach of local laws.  This last point I can't comment on - I don't know which country you are in (I can help with UK law though but I doubt that is of use to you). 

Suggest that you move from a "allow all" to a "default deny" policy.  You define what access is allowed - http/s + ftp for all, smtp/s + dns + ntp + a few others from the server, all else is dropped.  On top of that I'd suggest that you use Squid + Dan's Guardian to log and control web access. This policy will also help anti virus/trojan stuff - infected PCs will no longer be able to spam the world.

Start simple get the firewall up and running first, then install, test and deploy the proxy components.

You will find that your question answers itself once you change the access policy in this way.

The bottom line is that you must have approval and support from your management first, for that I'm afraid you are on your own but if it helps - I consult to many organizations about these sorts of issues and given your customer's ages I'd be surprised if some sort of Duty or Care requirement did not apply at the very least.

[This thread probably needs moving elsewhere  :Cool:  ]

Cheers

Jon

----------

## ToeiRei

I already have the management convinced that something has to be done. 

The problem is the technical 'detection' of P2P as things like ipp2p does not work. My first intention was making P2P stuff uninteresting by slowing it down as much as possible...

----------

## bobspencer123

I would like to second gerdesj comment about changing default policy in iptables to drop (both incoming and outgoing packets). Then you specify exactly which ports are allowed. If you only allow the common ports like http, ftp, etc.  (whatever skype uses), then you will drastically cut down on p2p traffic.

You could also use a server wide blocklist to not allow access to p2p sites.

----------

## ToeiRei

the problem is, as long as you leave *one* port (80) open for the P2P stuff, it will use it. I tried already.

My last chance is using a proxy and per user bandwidth limitations + logging, boldly analyzing that stuff and talking to the bad girls...

----------

