Re: [squid-users] Stop p2p running through squid

From: B.G. Bruce <[email protected]>
Date: Mon, 07 Mar 2005 11:53:36 -0400

On Thu, 2005-03-03 at 02:41, Kevin wrote:
> > B.G. Bruce wrote:
> > >I have a transparent squid cache 2.5.8+patches(pre9) and would like to
> > >stop the p2p traffic running through it. Does anyone have any ideas on
> > >how to do this? ACL's based on user agent? I'm already using the
> > >iptables patches (p2p) and have tried l7-filter, however it appears
> > >(V1.0) to have a memory allocation issue as it keeps using up all memory
> > >in the box (1G) and eventually killing the fw. Primarily it is FASTRACK
> > >and GNUTELLA that need to be stopped.
>
> Can you share a capture of a FASTRACK or GNUTELLA session through
> the squid proxy, at least through the initial HTTP request and HTTP headers?
>
> You might be able to cripple p2p by using a safe_ports ACL to only permit
> legitimate HTTP server ports, deny all other destination ports. Even just
> blocking traffic towards TCP/6346 would be a good start.
>
> Alternately, why not just log all connections, post-process the log data to find
> egregious violation of the published network policy, and then take steps to
> evict the non-compliant users/hosts from the network?
>
That's the problem ... there is NO published network security policy.
This is for a University and it's to help bring the virus issues under
control as well as allow better (more fair) utilization of the severely
limited internet bandwidth they have (2mb download 256 upload) over sat.
on a shared pipe.

B.

>
> On Thu, 03 Mar 2005 09:19:42 +0300, Ronny <ronny@spacenet.co.ug> wrote:
> > Well from squid definition I don't think you will be able to stop p2p
> > programs.You need a more intelligent program or hardware to do that .I
> > didn't say squid isn't intelligent besides I survive on it.
>
> I'd use the term "sophisticated", or perhaps even "complicated", given that
> more complex is not always better. For example, you could use something
> like an inline IPS (snort inline, ngrep with some scripting, etc) to
> look for and
> terminate sessions containing the string "GNUTELLA CONNECT/", but that
> solution has it's own problems...
>
> Kevin Kadow
>
Received on Mon Mar 07 2005 - 08:53:21 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:01 MST