> B.G. Bruce wrote:
> >I have a transparent squid cache 2.5.8+patches(pre9) and would like to
> >stop the p2p traffic running through it. Does anyone have any ideas on
> >how to do this? ACL's based on user agent? I'm already using the
> >iptables patches (p2p) and have tried l7-filter, however it appears
> >(V1.0) to have a memory allocation issue as it keeps using up all memory
> >in the box (1G) and eventually killing the fw. Primarily it is FASTRACK
> >and GNUTELLA that need to be stopped.
Can you share a capture of a FASTRACK or GNUTELLA session through
the squid proxy, at least through the initial HTTP request and HTTP headers?
You might be able to cripple p2p by using a safe_ports ACL to only permit
legitimate HTTP server ports, deny all other destination ports. Even just
blocking traffic towards TCP/6346 would be a good start.
Alternately, why not just log all connections, post-process the log data to find
egregious violation of the published network policy, and then take steps to
evict the non-compliant users/hosts from the network?
On Thu, 03 Mar 2005 09:19:42 +0300, Ronny <ronny@spacenet.co.ug> wrote:
> Well from squid definition I don't think you will be able to stop p2p
> programs.You need a more intelligent program or hardware to do that .I
> didn't say squid isn't intelligent besides I survive on it.
I'd use the term "sophisticated", or perhaps even "complicated", given that
more complex is not always better. For example, you could use something
like an inline IPS (snort inline, ngrep with some scripting, etc) to
look for and
terminate sessions containing the string "GNUTELLA CONNECT/", but that
solution has it's own problems...
Kevin Kadow
Received on Wed Mar 02 2005 - 23:41:48 MST
This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:01 MST