(crazy?) idea for blocking p2p

Felipe Figueiredo · External Since: Jul 07, 2006 Posts: 10

Hello,

since I am fairly new to iptables, this may be old news to many of the gurus
here. Consider it some food for thought.

Since one can create rules that limit quantity of packages (say) per second,
one could use this feature to limit [in|out]bound traffic from EVERY port
(except specific ones).

The idea would be to block the downloading of big files/too much information,
from non-permited services.

Maybe something like: permit any quantity for HTTP, FTP, SMTP/POP (for email
attachments), SSH (for sftp), (others?), and limit every other traffic to a
reasonable quantity per [sec|min|...].

However, I heard of people having crashing problems when limiting amount of
ssh connections, in some kernel version. Aparently some sort of memory leak.
It may very well be fixed by now, but I never really looked into it, since I
resorted to userspace scripts for the job (in my case, I use fail2ban to
limit ssh connections).

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org

Wojciech Ziniewicz · External Since: Apr 28, 2006 Posts: 40

2006/7/7, Felipe Figueiredo <philsf DeleteThis @ufrj.br>:
> Hello,
>
> since I am fairly new to iptables, this may be old news to many of the gurus
> here. Consider it some food for thought.
>
> Since one can create rules that limit quantity of packages (say) per second,
> one could use this feature to limit [in|out]bound traffic from EVERY port
> (except specific ones).
>
> The idea would be to block the downloading of big files/too much information,
> from non-permited services.
>
> Maybe something like: permit any quantity for HTTP, FTP, SMTP/POP (for email
> attachments), SSH (for sftp), (others?), and limit every other traffic to a
> reasonable quantity per [sec|min|...].
>
> However, I heard of people having crashing problems when limiting amount of
> ssh connections, in some kernel version. Aparently some sort of memory leak.
> It may very well be fixed by now, but I never really looked into it, since I
> resorted to userspace scripts for the job (in my case, I use fail2ban to
> limit ssh connections).

Get interested in layer7 patch for iptables.

--
Wojciech Ziniewicz | jid:zeth@chrome.pl
http://silenceproject.org | http://zetho.wordpress.com

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

Daniel Pittman · External Since: Feb 23, 2005 Posts: 86

Felipe Figueiredo <philsf DeleteThis @ufrj.br> writes:

> since I am fairly new to iptables, this may be old news to many of the
> gurus here. Consider it some food for thought.
>
> Since one can create rules that limit quantity of packages (say) per
> second, one could use this feature to limit [in|out]bound traffic from
> EVERY port (except specific ones).
>
> The idea would be to block the downloading of big files/too much
> information, from non-permited services.
>
> Maybe something like: permit any quantity for HTTP, FTP, SMTP/POP (for
> email attachments), SSH (for sftp), (others?), and limit every other
> traffic to a reasonable quantity per [sec|min|...].

That wouldn't be terribly difficult to implement; iptables supports rate
limits quite well.

Be aware, though, that most Peer to Peer applications (like Instant
Messaging clients) take the circumvention approach to the whole system:
they will work very, very hard to ignore any firewall you put in place,
and may well detect that using the standard ports like HTTP is a
performance improvement...

> However, I heard of people having crashing problems when limiting
> amount of ssh connections, in some kernel version. Aparently some sort
> of memory leak. It may very well be fixed by now, but I never really
> looked into it, since I resorted to userspace scripts for the job (in
> my case, I use fail2ban to limit ssh connections).

The standard rate limiting is fine. Perhaps the 'ipt_recent' module,
which is often discussed to limit SSH brute force attacks, is what
caused the problems.

Daniel

--
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707 email: contact DeleteThis @digital-infrastructure.com.au
http://digital-infrastructure.com.au/

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

stephan beirer · External Since: Jul 07, 2006 Posts: 1

[Wojciech Ziniewicz <wojciech.ziniewicz DeleteThis @gmail.com>, Jul 07 2006, 10:31:59AM +0200]
> 2006/7/7, Felipe Figueiredo <philsf DeleteThis @ufrj.br>:

> >The idea would be to block the downloading of big files/too much
> >information,
> >from non-permited services.
> >
>
> Get interested in layer7 patch for iptables.

the ipp2p module from patch-o-matic-ng might also be
interesting. works quite well for me.

vg:stb.

___________________________________________________________________________
stephan beirer invalidenstr 42 10115 berlin/germany
theoretical biophysics phon +49 30 2093 8694 room 501
institute of biology http://itb.biologie.hu-berlin.de/~beirer
humboldt university of berlin

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

Felipe Figueiredo · External Since: Jul 07, 2006 Posts: 10

On Friday 07 July 2006 05:31, Wojciech Ziniewicz wrote:
>
> Get interested in layer7 patch for iptables.

Do you use it? Is it stable?

I am probably not the only one in this situation, but It's not like I'm really
around if one of the two servers I run crash. They often get pretty much left
by themselves (and for their normal usage, this is fine).

I must only "try" things that I am positive that won't overflow, or crash.

regards
FF

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org

Wojciech Ziniewicz · External Since: Apr 28, 2006 Posts: 40

2006/7/7, Felipe Figueiredo <philsf RemoveThis @ufrj.br>:
> On Friday 07 July 2006 05:31, Wojciech Ziniewicz wrote:
> >
> > Get interested in layer7 patch for iptables.
>
> Do you use it? Is it stable?
i can say that it's stable.

--
Wojciech Ziniewicz | jid:zeth@chrome.pl
http://silenceproject.org | http://zetho.wordpress.com

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org

ChrisDB · External Since: Jul 08, 2006 Posts: 1

On 7 Jul 2006, at 07:47, Felipe Figueiredo wrote:

> Maybe something like: permit any quantity for HTTP
<snip>

I think some other guy hinted at this - apologies if you already
figured - but several p2p systems will happily use port 80, and some
faqs/manuals (eDonkey etc) even encourage (manually) setting this as
a quick/dirty firewall getter-rounder.

Perhaps you need to go deeper than just a port, but I've never done
that stuff - sorry can't be more help there.

___________________________________________________________
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org

Wojciech Ziniewicz · External Since: Apr 28, 2006 Posts: 40

2006/7/8, ChrisDB <mlist.d DeleteThis @virgin.net>:
>
> On 7 Jul 2006, at 07:47, Felipe Figueiredo wrote:
>
> > Maybe something like: permit any quantity for HTTP
> <snip>
>
> I think some other guy hinted at this - apologies if you already
> figured - but several p2p systems will happily use port 80, and some
> faqs/manuals (eDonkey etc) even encourage (manually) setting this as
> a quick/dirty firewall getter-rounder.
>
> Perhaps you need to go deeper than just a port, but I've never done
> that stuff - sorry can't be more help there.

so (one more time..) , layer7 (application layer) patch for iptables
is what You want.

regards
--
Wojciech Ziniewicz | jid:zeth@chrome.pl
http://silenceproject.org | http://zetho.wordpress.com

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

William Duke · External Since: Jul 09, 2006 Posts: 2

On Sat, 2006-08-07 at 01:31 +0100, ChrisDB wrote:
> On 7 Jul 2006, at 07:47, Felipe Figueiredo wrote:
>
> > Maybe something like: permit any quantity for HTTP
> <snip>
>
> I think some other guy hinted at this - apologies if you already
> figured - but several p2p systems will happily use port 80, and some
> faqs/manuals (eDonkey etc) even encourage (manually) setting this as
> a quick/dirty firewall getter-rounder.
>
> Perhaps you need to go deeper than just a port, but I've never done
> that stuff - sorry can't be more help there.
>
>
> ___________________________________________________________
> To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com
>
>

Off-topic:

Are you related to MikeDB of Canadian Content Community fame?

No? Ah well, your loss I guess. Razz

How about D.B. Cooper? Last I heard, authorities still hadn't recovered
all of the loot.

Sorry, just feeling kind of weird at the moment. I've been in prison
too long... ;-P

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org

Felipe Figueiredo · External Since: Jul 07, 2006 Posts: 10

So, back to this thread.

On Friday 07 July 2006 17:35, Wojciech Ziniewicz wrote:
> 2006/7/7, Felipe Figueiredo <philsf DeleteThis @ufrj.br>:
> > On Friday 07 July 2006 05:31, Wojciech Ziniewicz wrote:
> > > Get interested in layer7 patch for iptables.
> >
> > Do you use it? Is it stable?
>
> i can say that it's stable.

I just patched my sandbox with layer7, and got curious: why is it not
available as .deb patch to the kernel?

I didn't find any information in packages.debian.org or the BTS about it, do
the developers have any reason for not including it (and its userspace tools,
for that matter) in the repositories?

regards
FF

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

Wojciech Ziniewicz · External Since: Apr 28, 2006 Posts: 40

2006/8/23, Felipe Figueiredo <philsf DeleteThis @ufrj.br>:
> I just patched my sandbox with layer7, and got curious: why is it not
> available as .deb patch to the kernel?
>
> I didn't find any information in packages.debian.org or the BTS about it, do
> the developers have any reason for not including it (and its userspace tools,
> for that matter) in the repositories?

It's claimed to be unstable.
--
Wojciech Ziniewicz | jid:zeth@chrome.pl
http://silenceproject.org | http://zetho.wordpress.com

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org