On Mon, 2001-10-15 at 02:42, Adam Lydick wrote: > On Sun, Oct 14, 2001 at 02:41:57PM +0200, Christian Wendt wrote: > > I think about the most "intelligent" way to filter all those out would > > be protocoll matching... > > > > with iptables it's possible to search packets for strings... (not in the > > kernel, needs patch-o-matic) (I'd advice to only search in SYN > > packets... could be CPU Hog) > > I've never seen a SYN packet that contained data, and it was my understanding > that they generally (always?) do not. Correct me if I am mistaken. Yes, you're right... - that does create other flaws, as well as i rethink > Also, this will be defeated by encrypted protocols -- if users start to tunnel > through SSL, you don't get to see any of the protocol, and cannot perform > matching.
> > (Gnutella seems to use "GNUTELLA CONNECT/0.4", e.g.) > That would work for existing protocols, but doesn't help vs. newer and more > cleverly hidden protocols. As soon as you start blocking in this manner, > P2P apps will adapt as needed. yeah, same with the port-blocking featured in the other posts... - would be defeated by ssl or altering client it would not be defeated by altering port or random-port in client. Also, as you corrected me about my failure with SYN - it would block legitimate traffic... e.g. any email containing the string "GNUTELLA CONNECT/0.4" - in the worst case only a single packet out of a bigger stream, leading to retransmissions that 'll never suceed... No Good that way. Definite 'bad'. best thing to do: Educate users? +bandwith-cap +no-incoming-connection-(on-ports) - so one wouldnt be able to offer files to other firewalled users... > -- Adam Lydick MFG, Christian Wendt
