Re: [squid-users] Stop p2p running through squid from B.G. Bruce on 2005-03-07 (squid-users)

From: B.G. Bruce <bgb@dont-contact.us>
Date: Mon, 07 Mar 2005 11:53:22 -0400

I'll try and get the http request and http header, however blocking by
port isn't an option. This is a transparent cache, only capturing what
is intended for port 80, therefore any "safe_ports" acl would be
useless, or denying access to ALL port 80 webservers ;-(

On Thu, 2005-03-03 at 02:41, Kevin wrote:
> > B.G. Bruce wrote:
> > >I have a transparent squid cache 2.5.8+patches(pre9) and would like to
> > >stop the p2p traffic running through it. Does anyone have any ideas on
> > >how to do this? ACL's based on user agent? I'm already using the
> > >iptables patches (p2p) and have tried l7-filter, however it appears
> > >(V1.0) to have a memory allocation issue as it keeps using up all memory
> > >in the box (1G) and eventually killing the fw. Primarily it is FASTRACK
> > >and GNUTELLA that need to be stopped.
>
> Can you share a capture of a FASTRACK or GNUTELLA session through
> the squid proxy, at least through the initial HTTP request and HTTP headers?
>
> You might be able to cripple p2p by using a safe_ports ACL to only permit
> legitimate HTTP server ports, deny all other destination ports. Even just
> blocking traffic towards TCP/6346 would be a good start.
>
> Alternately, why not just log all connections, post-process the log data to find
> egregious violation of the published network policy, and then take steps to
> evict the non-compliant users/hosts from the network?
>
>
> On Thu, 03 Mar 2005 09:19:42 +0300, Ronny <ronny@spacenet.co.ug> wrote:
> > Well from squid definition I don't think you will be able to stop p2p
> > programs.You need a more intelligent program or hardware to do that .I
> > didn't say squid isn't intelligent besides I survive on it.
>
> I'd use the term "sophisticated", or perhaps even "complicated", given that
> more complex is not always better. For example, you could use something
> like an inline IPS (snort inline, ngrep with some scripting, etc) to
> look for and
> terminate sessions containing the string "GNUTELLA CONNECT/", but that
> solution has it's own problems...
>
> Kevin Kadow
>
Received on Mon Mar 07 2005 - 08:53:21 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:01 MST