# Blocking all P2P

## Ultanium

Hi everyone,

After over a year hiatus I am back in the Gentoo saddle (I am the lilo.conf guy). These days I am running a wireless ISP and have been having total hell trying to keep P2P traffic under control. Blocking ports works fine until someone discovers Overnet and starts running traffic on port 80. Recently I tried a tiny distro called Microtik that has stateful packet inspection and it lets me completely control any P2P it knows about, regardless of port. Is / has anyone worked on this for Gentoo? In my servers I currenly am running ClarkConnect and would really like to setup at least one of them running a hardened Gentoo install with layer-7 capabilty.

Ult

----------

## andrewy

Not sure how to block P2P traffic, but as an ISP, why would you want to?

It's probably not too popular with the users, and I none of the major ISPs do it..

----------

## Suicidal

 *Ultanium wrote:*   

> Hi everyone,
> 
> After over a year hiatus I am back in the Gentoo saddle (I am the lilo.conf guy). These days I am running a wireless ISP and have been having total hell trying to keep P2P traffic under control. Blocking ports works fine until someone discovers Overnet and starts running traffic on port 80. Recently I tried a tiny distro called Microtik that has stateful packet inspection and it lets me completely control any P2P it knows about, regardless of port. Is / has anyone worked on this for Gentoo? In my servers I currenly am running ClarkConnect and would really like to setup at least one of them running a hardened Gentoo install with layer-7 capabilty.
> 
> Ult

 

```
 USE="flexresp" emerge snort
```

You can use the flexresp technology in snort to block traffic by port, content type, refrence (ie: www.kazaa.com ), user agent mimetypes and more. So far I have blocked every type of streaming media and p2p with it.

----------

## Chris W

http://l7-filter.sourceforge.net/ may be of interest.  Possibly also the CONNMARK and string match NetFilter filters.

----------

## Suicidal

Have you tried l7-filter? It looks promising but kernel patches as much as the 2.6 kernel is changing frankly scares the shit out of me.

----------

## Ultanium

 *andrewy wrote:*   

> Not sure how to block P2P traffic, but as an ISP, why would you want to?
> 
> It's probably not too popular with the users, and I none of the major ISPs do it..

 

Well if I was large WISP with lots of cash and could afford redundant DS3's into my office I probably would not care alot about P2P. However, I am running a small WISP with 2 T1's and 64 clients, and in our AUP it is not allowed yet we have people who just keep breaking the rules.  Rather than lose them as a client, I can just stop the P2P. 

Ult

----------

## Ultanium

 *Suicidal wrote:*   

> 
> 
> ```
>  USE="flexresp" emerge snort
> ```
> ...

 

Looking into it now Suicidal, tnx!

Ult

----------

## Ultanium

 *Chris W wrote:*   

> http://l7-filter.sourceforge.net/ may be of interest.  Possibly also the CONNMARK and string match NetFilter filters.

 

I am not sure, but I think this is what is being used in Microtik. Lots of patches though and as of late I have been having hell with a few of them. Looks promising though!

Ult

"If we can somehow harness the P2P control of Microtik and funnel it into the Gentoo flux capacitor...."

----------

## loxety

Blocking p2p is also good for those room mates who dont seem to show respect for others who maybe using the network too.

----------

## Paulten

I remember trying this, and it worked quite well ..

http://www.lowth.com/p2pwall/

----------

## cpwp

I run a medium sized WISP too - we're using the ipp2p iptables module to count p2p traffic, it might be worth a look...

cpwp

----------

## TheCat

what's wrong?

```
# iptables -A FORWARD -m ipp2p --ipp2p -j DROP

iptables: No chain/target/match by that name
```

----------

## eagle_cz

Hey TheCat i got the same problem but with Layer7 filter, ip2pp works fine

```

Module                  Size  Used by    Tainted: P

ipt_MARK                 792   0  (unused)

ipt_conntrack            984   0  (unused)

cls_u32                 4892   5  (autoclean)

sch_tbf                 2912  12  (autoclean)

sch_cbq                12512   5  (autoclean)

wlan_acl                2144   1  (autoclean)

ipt_limit                888   3  (autoclean)

ipt_ipp2p               6904   3  (autoclean)

ipt_multiport            664   4  (autoclean)

i have /lib/iptables/libipt_layer7.so

```

Kernel is patched, Iptables seems to be patched as well. (via extensions)

I compiled Layer7 as module, but when i try to apply L7 rules i get exactly same message.

Any clues ?

----------

## loxety

I've been using firestarter.. works great!

----------

## TheCat

 *loxety wrote:*   

> I've been using firestarter.. works great!

 

"firestarter"?

----------

