Re: Off Topic - Block iCloud -
On 11.04.2013 20:45, Bob Goodwin - Zuni, Virginia, USA wrote: > Yes the Cisco router/Tomato combination works more predictably and the > logging works, something that DD-WRT never seemed to get right. So far > I've set up 4 rules and they seem to do what is expected. Time will tell > if I've got the right addresses controlled. > > Thanks to all for the help and encouragement, dd-wrt do has its flies, true. :) Regarding a sockets, you can use: "netstat -a(ll) -n(umbers) -t(cp) -u(dp)…" or simply "less /proc/net/[ip_conntrack|nf_conntrack]" if a router provide it via cli(ssh). Web-GUI counterparts are "http://*router*/Status_Conntrack.asp";(dd-wrt) and probably "http://*router*/qos-detailed.asp";(tomato)". Bob, no problemos and good hunting on the "clouds". ;) poma -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 10/04/13 20:11, poma wrote: Tomato is also BusyBox based, and if it's usable why not. poma Yes the Cisco router/Tomato combination works more predictably and the logging works, something that DD-WRT never seemed to get right. So far I've set up 4 rules and they seem to do what is expected. Time will tell if I've got the right addresses controlled. Thanks to all for the help and encouragement, Bob -- http://www.qrz.com/db/W2BOD box10 Fedora-18 XFCE Linux -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
Bob Goodwin - Zuni, Virginia, USA wrote: > It looks to me like I should be able to block connection to > "icloud.com" in the router but so far that has not worked. Any firmware upgrades for it? I have a router that's supposed to offer content filtering based on URIs and wildcards around them, but it's never worked. Luckily I don't need it, but I was trying out all the features it had, and it just had no effect. -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 10.04.2013 21:13, Bob Goodwin - Zuni, Virginia, USA wrote: > DD-WRT should work! I am going to try a Cisco router with the "tomato" > version of DD-WRT, pomodoro, that should meet with your approval? :-) > It usually does a few things I can't do with this one. I just have > trouble finding my way through it's menus, I am more familiar with the > one I'm using. I haven't been able to devote enough time to this effort > today, too many interruptions. I just finished the testing. :) I have to correct myself - Access Restrictions/WAN Access *do* work! Sorry for the false alarm. Also tested via cli - working too. :) If I correctly interpret the iptables on the router, all ports defined - both destination and source become blocked. So, you do not have to bother with scripts and crond. I am pretty confident that you will succeed, especially because now you know what to do. Tomato is also BusyBox based, and if it's usable why not. poma -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 10/04/13 14:19, poma wrote: Probably what you need is to block outgoing ports at certain times for certain clients, if I correctly translated the above mentioned. In the absence of better tools, you can look at these examples: http://www.dd-wrt.com/wiki/index.php/CRON http://www.dd-wrt.com/wiki/index.php/Iptables#Block_outgoing_SMTP_traffic_except_from_specified_hosts I leave it to you to find which ports are in the game. poma DD-WRT should work! I am going to try a Cisco router with the "tomato" version of DD-WRT, pomodoro, that should meet with your approval? :-) It usually does a few things I can't do with this one. I just have trouble finding my way through it's menus, I am more familiar with the one I'm using. I haven't been able to devote enough time to this effort today, too many interruptions. -- http://www.qrz.com/db/W2BOD box10 Fedora-18 XFCE Linux -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 10.04.2013 18:11, Bob Goodwin - Zuni, Virginia, USA wrote: > It appears to me that QoS applies only to local addresses. I might be > able to set it to reduce the data rates on iCloud but it would still > allow activity when nothing else is running but the Mac desktop. If I understood correctly, traffic shaping you don't need at all, so please drop this one. Neither "WAN Access Restrictions" - http://*gateway*/Filters.asp will do anything useful in your case. > I simply want to stop all iCloud activity [except for a "free" period in > the wee hours of the morning]. > > Presently I have been letting it run from 23:59 to 04:00. It ran up 13GB > on each of two nights and almost 7GB last night. I guess it is satisfied > after downloading all that data and quit at 6675MB down and 681MB up [up > is much slower]. However left unattended it will suck up several GB in > the upload direction, it just takes longer. Both directions count > against my allocation. Probably what you need is to block outgoing ports at certain times for certain clients, if I correctly translated the above mentioned. In the absence of better tools, you can look at these examples: http://www.dd-wrt.com/wiki/index.php/CRON http://www.dd-wrt.com/wiki/index.php/Iptables#Block_outgoing_SMTP_traffic_except_from_specified_hosts I leave it to you to find which ports are in the game. poma -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 10/04/13 07:19, poma wrote: Quality Of Service (QoS): http://*gateway*/QoS.asp - Services Priority - Cloud -> Bulk:) - Netmask Priority - Mac -> Bulk:) - MAC Priority - Mac -> Bulk:) http://*gateway*/help/HQos.asp http://www.dd-wrt.com/wiki/index.php/Quality_of_Service poma It appears to me that QoS applies only to local addresses. I might be able to set it to reduce the data rates on iCloud but it would still allow activity when nothing else is running but the Mac desktop. I simply want to stop all iCloud activity [except for a "free" period in the wee hours of the morning]. Presently I have been letting it run from 23:59 to 04:00. It ran up 13GB on each of two nights and almost 7GB last night. I guess it is satisfied after downloading all that data and quit at 6675MB down and 681MB up [up is much slower]. However left unattended it will suck up several GB in the upload direction, it just takes longer. Both directions count against my allocation. Bob -- http://www.qrz.com/db/W2BOD box10 Fedora-18 XFCE Linux -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 10.04.2013 14:18, Reindl Harald wrote: > > > Am 10.04.2013 14:00, schrieb poma: >> On 10.04.2013 13:56, Heinz Diehl wrote: >>> On 10.04.2013, Bob Goodwin - Zuni, Virginia, USA wrote: >>> I had not seen that page but scanning through it the most likely candidate is port 443 which I had seen elsewhere. However I see no simple way of closing that port in DD-WRT. >>> >>> As afar as I know, DD-WRT uses iptables. So you can insert a line >>> there. >> >> "If all you have is a hammer, everything looks like a nail." :) > > and why do you think this joke does match here? > in this case all is a nail and you need a hammer Joke!? It is the law of the Thor, right? But, no one here is a nail, nor a Jötun. ;) > did you know that usually the complete NAT/forwarding/routing > is done with iptables because it was made for this? the complete > routing and vpn-gateways between network-locations in 4 small > offices is done with iptables only here and DD-WRT does nothing > else Of course, even my grandma knows it. :) Therefore, please do provide an *adequate* solution to a Bob. ;) I repeat, an *adequate* one. ;) I already made it, through a tc's gui example provided by dd-wrt's Web-GUI. poma -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
Am 10.04.2013 14:00, schrieb poma: > On 10.04.2013 13:56, Heinz Diehl wrote: >> On 10.04.2013, Bob Goodwin - Zuni, Virginia, USA wrote: >> >>> I had not seen that page but scanning through it the most likely candidate >>> is port 443 which I had seen elsewhere. However I see no simple way of >>> closing that port in DD-WRT. >> >> As afar as I know, DD-WRT uses iptables. So you can insert a line >> there. > > "If all you have is a hammer, everything looks like a nail." :) and why do you think this joke does match here? in this case all is a nail and you need a hammer did you know that usually the complete NAT/forwarding/routing is done with iptables because it was made for this? the complete routing and vpn-gateways between network-locations in 4 small offices is done with iptables only here and DD-WRT does nothing else signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
Ed Greshko:
>> If so, you could create a "local" zone for icloud.com with a wildcard
>> record that returns a non existing server address.
Bob Goodwin:
> I don't think I know how to do that
If you're using BIND as your DNS server, it's quite easy. That's "easy"
as in it's easy to add zone file to kill off certain queries to an
already configured BIND server. Not so easy if you have to learn how to
set up BIND, first.
You have a named.conf file that lists the domain names you want to kill
off, and they refer to a domain name record file that sends back no
useful information for the query. So the attempt to connect to connect
to them will fail, and very quickly.
You have entries in the /etc/named.conf file like this:
zone "doubleclick.com" { type master; file "dead.zone"; };
zone "adwords.google.com" { type master; file "dead.zone"; };
zone "googlesyndication.com"{ type master; file "dead.zone"; };
zone "googleservices.com" { type master; file "dead.zone"; };
zone "googleadservices.com" { type master; file "dead.zone"; };
zone "google-analytics.com" { type master; file "dead.zone"; };
So all queries for those domain names, and any sub-domain (e.g. it'll
apply to www.doubleclick.com or any other prefixes, as well). You just
add more lines, like the above, for anything that you want to answer
with your server. Anything that you don't add custom files for, your
name server will go out on the web and find the answers in the normal
way. e.g. google.com still works, because I have no entry for just
google.com.
And you have a dead.zone DNS record file in /var/named/ like this:
$TTL 86400
@ IN SOA ns.localdomain. hostmaster.mail.localdomain. (
200 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400 ; ttl
)
IN NS ns.localdomain.
Which provides no answers for any queries, it only has the bare-bones
fields that make up the beginning of a zone file, but no IPs or domain
names that any query would ask about. Queries fail with an instant "no
answer" type of response.
If you have a chrooted BIND server, then those filepaths are prefixed
with the chroot filepath.
e.g. If your chroot was to "/var/named/chroot" then they'd be:
"/var/named/chroot/etc/named.conf" and
"/var/named/chroot/var/named/dead.zone"
As that example stands, it'd kill off all queries and connection
attempts to the listed domain names, for all machines on your LAN (I do
this). If you play with split networks on your LAN (trusted machines on
one set of IP addresses, and untrusted machines on another set), you can
even configure your DNS server to respond differently to the different
sub-networks (work normally for the trusted machines, give "no answer"
results to the untrusted machines).
Of course, if you're not using BIND as your DNS server on one of your
computers, then you'd need to learn how to do a similar thing with that
name server. If your DNS server is your router, you're going to be
limited to what it provides. Though, there's nothing stopping you from
configuring your DHCP server (whatever it is) to tell all DHCP clients
to use a DNS server on your computer instead of the router (I do this).
--
[tim@localhost ~]$ uname -rsvp
Linux 3.8.4-102.fc17.x86_64 #1 SMP Sun Mar 24 13:09:09 UTC 2013 x86_64
All mail to my mailbox is automatically deleted, there is no point
trying to privately email me, I will only read messages posted to the
public lists.
My apologies for not including a virus with this message, but I don't
use Windows.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 10.04.2013 13:56, Heinz Diehl wrote: > On 10.04.2013, Bob Goodwin - Zuni, Virginia, USA wrote: > >> I had not seen that page but scanning through it the most likely candidate >> is port 443 which I had seen elsewhere. However I see no simple way of >> closing that port in DD-WRT. > > As afar as I know, DD-WRT uses iptables. So you can insert a line > there. "If all you have is a hammer, everything looks like a nail." :) poma -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 10.04.2013, Bob Goodwin - Zuni, Virginia, USA wrote: > I had not seen that page but scanning through it the most likely candidate > is port 443 which I had seen elsewhere. However I see no simple way of > closing that port in DD-WRT. As afar as I know, DD-WRT uses iptables. So you can insert a line there. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 10.04.2013 00:47, Joe Zeff wrote: > On 04/09/2013 02:46 PM, Bob Goodwin - Zuni, Virginia, USA wrote: >> I had not seen that page but scanning through it the most likely >> candidate is port 443 which I had seen elsewhere. However I see no >> simple way of closing that port in DD-WRT. Closing it in iptables on >> this computer wont stop iCloud to the Macs, etc. I tried blocking >> several ip addresses I found Googling but that was not enough, perhaps >> not a complete list? > > It also mentions 5523, Apple Push Notification Services. Dropping that > at the router may do what you need. Quality Of Service (QoS): http://*gateway*/QoS.asp - Services Priority - Cloud -> Bulk :) - Netmask Priority - Mac -> Bulk :) - MAC Priority - Mac -> Bulk :) http://*gateway*/help/HQos.asp http://www.dd-wrt.com/wiki/index.php/Quality_of_Service poma -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 10/04/13 05:58, Cameron Simpson wrote: On 10Apr2013 05:35, Bob Goodwin - Zuni, Virginia, USA wrote: | On 09/04/13 21:07, Cameron Simpson wrote: | >In fact, that's 1MB per second (12Mbps!) That should be glaringly obvious | >with trafshow or similar tools. Which will show you the IP and port involved. | | Yes and the system sometimes runs a lot faster than specified. I yum | installed trafshow, never ran across that application before, and it | works as expected on p4p1 but that not where it needs to be, I need | to find how to point it at the router traffic. It seems that would | show me why my efforts so far have not helped? Well, you could get your DHCP server to make your linux box the default router. Then set you're linux box's default route to be the router by hand, and tell it to forward packets: echo 1 >/proc/sys/net/ipv4/ip_forward Then next time the Mac (or whatever) connects to your LAN you should be able to watch the traffic. Of course, you'll also be burdened with forwarding all the LAN traffic across your linux box, but for purposes of debugging. I could use another F-18 box ... And of course, Macs are BSD UNIX. Run trafshow there! You might have to install MacPorts (or Fink or HomeBrew etc) to get trafshow installed, but any Mac _wants_ that anyway! I try to avoid messing with her Mac. I'm not familiar enough with it and I can't get close enough to the screen due to the physical arrangement, vision problems, 'ah the golden years!' And of course you could hand set the default route on the Mac for debugging purposes just as with any UNIX box, and avoid mucking with the router DHCP advertisements until you want to frib with iPhones etc. Cheers, -- http://www.qrz.com/db/W2BOD box10 Fedora-18 XFCE Linux -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 10Apr2013 05:35, Bob Goodwin - Zuni, Virginia, USA wrote: | On 09/04/13 21:07, Cameron Simpson wrote: | >In fact, that's 1MB per second (12Mbps!) That should be glaringly obvious | >with trafshow or similar tools. Which will show you the IP and port involved. | | Yes and the system sometimes runs a lot faster than specified. I yum | installed trafshow, never ran across that application before, and it | works as expected on p4p1 but that not where it needs to be, I need | to find how to point it at the router traffic. It seems that would | show me why my efforts so far have not helped? Well, you could get your DHCP server to make your linux box the default router. Then set you're linux box's default route to be the router by hand, and tell it to forward packets: echo 1 >/proc/sys/net/ipv4/ip_forward Then next time the Mac (or whatever) connects to your LAN you should be able to watch the traffic. Of course, you'll also be burdened with forwarding all the LAN traffic across your linux box, but for purposes of debugging. And of course, Macs are BSD UNIX. Run trafshow there! You might have to install MacPorts (or Fink or HomeBrew etc) to get trafshow installed, but any Mac _wants_ that anyway! And of course you could hand set the default route on the Mac for debugging purposes just as with any UNIX box, and avoid mucking with the router DHCP advertisements until you want to frib with iPhones etc. Cheers, -- Cameron Simpson We're supposed to be the guys with Freedom and Democracy right? Well, how come the Russians get to shell their Parliament and we don't get to do it to ours? Mike Holmes, f...@festival.ed.ac.uk -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 10/04/13 05:44, Ed Greshko wrote: On 04/10/13 17:01, Bob Goodwin - Zuni, Virginia, USA wrote: The best solution would be to stop connection to the iCloud servers for everyone on our LAN. When they leave our place they can use other means of connection, 3g, etc. They would still have browsing, email, etc. available here. When they are on you LAN do they get their IP address via DHCP and are they using a DNS server that you have control over? Yes, the router provides the DHCP static addresses for each MAC. If so, you could create a "local" zone for icloud.com with a wildcard record that returns a non existing server address. I don't think I know how to do that? -- http://www.qrz.com/db/W2BOD box10 Fedora-18 XFCE Linux -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 04/10/13 17:01, Bob Goodwin - Zuni, Virginia, USA wrote: > The best solution would be to stop connection to the iCloud servers for > everyone on our LAN. When they leave our place they can use other means of > connection, 3g, etc. They would still have browsing, email, etc. available > here. When they are on you LAN do they get their IP address via DHCP and are they using a DNS server that you have control over? If so, you could create a "local" zone for icloud.com with a wildcard record that returns a non existing server address. -- From now on, at least during winter time, Im going to blame all spelling an grammar erros on the cat sitting on my chest every time I sit down at the computer -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 09/04/13 21:07, Cameron Simpson wrote: On 10Apr2013 10:31, I wrote: | On 09Apr2013 11:12, Bob Goodwin - Zuni, Virginia, USA wrote: | | downloads at about 3GB per hour, | | That's huge! In fact, that's 1MB per second (12Mbps!) That should be glaringly obvious with trafshow or similar tools. Which will show you the IP and port involved. Cheers, -- Cameron Simpson Yes and the system sometimes runs a lot faster than specified. I yum installed trafshow, never ran across that application before, and it works as expected on p4p1 but that not where it needs to be, I need to find how to point it at the router traffic. It seems that would show me why my efforts so far have not helped? Thanks, Bob -- http://www.qrz.com/db/W2BOD box10 Fedora-18 XFCE Linux -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 09/04/13 21:28, Sam Varshavchik wrote: I'm not sure if this is the same issue, but when one member of my household acquired a Macbook, that thing just started flooding my bandwidth. I didn't know, at first, WTF was going on, and I didn't tie it to the Macbook, but, fortunately, at that time I /was/ running a router with DD-WRT firmware, so I could ssh into the router itself, and see that it was the Macbook flinging crap into the Intertubes. Yes, about the same thing happened here but it cost me a lot of bandwidth usage/money before I understood what was happening. I couldn't believe anyone would create a system that worked that way! Last fall she put all the Apple stuff on the iCloud system and the mysterious usage began. That hacked router, sadly, gave up the magic blue smoke some time ago, and I just didn't have the mental fortitude to set up another hackarouter, so I now have a stock Netgear WNDR3700v3 which, AFAIK, doesn't have any way to report which connected device is generating how much bandwidth, so I don't think I'd have any way of know what is coming out of which device, but, back then I was lucky. Anyway, the traffic that I saw coming out of the Macbook was massive amounts of /UDP/ traffic to high ports, looked like some kind of a peer-to-peer protocol. But it was all UDP. I didn't want to waste any more time on this nonsense. The DD-WRT firmware allowed me to bind filtering rules to MAC addresses. So, I set up a rule tied to the Macbook MAC address, that blocked all traffic to UDP ports 1024-65535. I'm presently using a Buffalo WZR-HP-G450H which I believe came with DD-WRT installed. I have several other routers in which I have installed DD-WRT but settled on this one for no special reason, they all work. It looks to me like I should be able to block connection to "icloud.com" in the router but so far that has not worked. The usage continues to grow when I allow the Mac with iCloud to connect. I can block other addresses, when the kids want iTunes or a PS3 update I have to enable the connections for them. That solved the problem for good, and I had no complaints. There's no legitimate, mainstream, consumer Intertube use that needs high UDP port ranges. It should be that simple for me too, but alas nothing is easy! P.S. The replacement Netgear router's firmware couldn't do MAC-based filtering. So, when I carefully configured it, I just had the router's DHCP server bind the Macbook's MAC address to a statically assigned IP address, and set up the router to block all traffic from that IP address to UDP ports 1024-65535. I don't see a way to block ports in this Buffalo DD-WRT? Perhaps they removed something. I'll try another router later, but what I've done it seems should work ... -- http://www.qrz.com/db/W2BOD box10 Fedora-18 XFCE Linux -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 10/04/13 03:20, Tim wrote: Apart from the obvious of reconfiguring the devices, and presenting the ISP bill to the appropriate family member, can things be configured at the cloud end of the equation? (Quotas, turn off functions, close the account, etc.) None of those work for reasons to numerous to go into here. Presently I simply disallow their internet access on our wireless LAN, we even pulled the Ethernet connection on the Mac desktop which was the worst offender since it is "in-range" of the wi-fi constantly, but that's overkill! The best solution would be to stop connection to the iCloud servers for everyone on our LAN. When they leave our place they can use other means of connection, 3g, etc. They would still have browsing, email, etc. available here. -- http://www.qrz.com/db/W2BOD box10 Fedora-18 XFCE Linux -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
Allegedly, on or about 09 April 2013, Bob Goodwin - Zuni, Virginia, USA sent: > Can anyone tell me how to block Apple iCloud in my router? I've tried > filtering icloud.com as mentioned in Google but it still downloads at > about 3GB per hour, a rate that would use up my month's allocation in > about 8 hours! There seems to be a dearth of information on Google on > the subject although it is a recognized problem. Apart from the obvious of reconfiguring the devices, and presenting the ISP bill to the appropriate family member, can things be configured at the cloud end of the equation? (Quotas, turn off functions, close the account, etc.) -- [tim@localhost ~]$ uname -rsvp Linux 3.8.4-102.fc17.x86_64 #1 SMP Sun Mar 24 13:09:09 UTC 2013 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. My apologies for not including a virus with this message, but I don't use Windows. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
Bob Goodwin - Zuni, Virginia, USA writes: Can anyone tell me how to block Apple iCloud in my router? I've tried filtering icloud.com as mentioned in Google but it still downloads at about 3GB per hour, a rate that would use up my month's allocation in about 8 hours! There seems to be a dearth of information on Google on the subject although it is a recognized problem. I'm not sure if this is the same issue, but when one member of my household acquired a Macbook, that thing just started flooding my bandwidth. I didn't know, at first, WTF was going on, and I didn't tie it to the Macbook, but, fortunately, at that time I /was/ running a router with DD-WRT firmware, so I could ssh into the router itself, and see that it was the Macbook flinging crap into the Intertubes. That hacked router, sadly, gave up the magic blue smoke some time ago, and I just didn't have the mental fortitude to set up another hackarouter, so I now have a stock Netgear WNDR3700v3 which, AFAIK, doesn't have any way to report which connected device is generating how much bandwidth, so I don't think I'd have any way of know what is coming out of which device, but, back then I was lucky. Anyway, the traffic that I saw coming out of the Macbook was massive amounts of /UDP/ traffic to high ports, looked like some kind of a peer-to-peer protocol. But it was all UDP. I didn't want to waste any more time on this nonsense. The DD-WRT firmware allowed me to bind filtering rules to MAC addresses. So, I set up a rule tied to the Macbook MAC address, that blocked all traffic to UDP ports 1024-65535. That solved the problem for good, and I had no complaints. There's no legitimate, mainstream, consumer Intertube use that needs high UDP port ranges. P.S. The replacement Netgear router's firmware couldn't do MAC-based filtering. So, when I carefully configured it, I just had the router's DHCP server bind the Macbook's MAC address to a statically assigned IP address, and set up the router to block all traffic from that IP address to UDP ports 1024-65535. pgpyjfi5OAm3w.pgp Description: PGP signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 10Apr2013 10:31, I wrote: | On 09Apr2013 11:12, Bob Goodwin - Zuni, Virginia, USA wrote: | | downloads at about 3GB per hour, | | That's huge! In fact, that's 1MB per second (12Mbps!) That should be glaringly obvious with trafshow or similar tools. Which will show you the IP and port involved. Cheers, -- Cameron Simpson In theory, there is no difference between theory and practice. In practice, there is. - Yogi Berra -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 09Apr2013 11:12, Bob Goodwin - Zuni, Virginia, USA wrote: | Can anyone tell me how to block Apple iCloud in my router? Let me start by saying I think it would be better to get your daughter to sync less stuff. Get her to turn off automatic app installs and media syncs and see where you are. If you restrict iCloud to calendars and bookmarks and contacts it should be a lot less aggressive. Likewise, the push notifications are not high traffic either. | I've | tried filtering icloud.com as mentioned in Google That's a bit vague; what exactly did you do? | but it still | downloads at about 3GB per hour, That's huge! Do you know what they are - media, apps or what? Do you know which specific devices offend? | Presently I am forced to block all the Apple devices on my LAN. I | would like to be more selective and allow them other functions, | e-mail and browsing, etc. They can use the 3g/4g system for their | iCloud needs. You'll need to allow 443 in general for the web. But... A grep through an access log shows these hosts with "icloud" in their name: aolauth.icloud.com keyvalueservice.icloud.com p02-bookmarks.icloud.com p02-caldav.icloud.com p02-contacts.icloud.com p02-contactsws.icloud.com p02-content.icloud.com p02-fmip.icloud.com p02-fmipweb.icloud.com p02-keyvalueservice.icloud.com p02-mailws.icloud.com p02-pushws.icloud.com p02-quota.icloud.com p02-ubiquity.icloud.com p02-ubiquityws.icloud.com p07-content.icloud.com p11-content.icloud.com setup.icloud.com statici.icloud.com I imagine there are p03-* etc in play too. Look up their IPs. Block access to those IPs on ports 80 and 443 in your router. Port 5223 (iCloud DAV services) should be low traffic. I expect:-( However, this is overkill and you'll basicly be breaking the Apple devices as far as a lot of convenient things go. It would be far better to get your high traffic user to cut back on what is synched. If you get her to turn off the app and media auto stuff the traffic should drop enormously. You can sync contacts and calendars and bookmarks at little cost. Of course, there are still media downloads etc, but if your user mediates that all through iTunes on a Mac and syncs from the Mac to their devices instead of implicitly via the iCloud then at least their bandwidth use will be obviously in their face, and you and they can see what's going on. Cheers, -- Cameron Simpson Piracy gets easier every day, but listening to legally purchased music gets harder by the day. Firehed - http://politics.slashdot.org/comments.pl?sid=179175&cid=14846089 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 4/9/2013 17:46, Bob Goodwin - Zuni, Virginia, USA wrote: > On 09/04/13 17:26, Ed Greshko wrote: >> On 04/09/13 23:12, Bob Goodwin - Zuni, Virginia, USA wrote: >>> > >>> > Can anyone tell me how to block Apple iCloud in my router? I've >>> tried filtering icloud.com as mentioned in Google but it still >>> downloads at about 3GB per hour, a rate that would use up my month's >>> allocation in about 8 hours! There seems to be a dearth of >>> information on Google on the subject although it is a recognized >>> problem. >>> > >>> > Presently I am forced to block all the Apple devices on my LAN. I >>> would like to be more selective and allow them other functions, >>> e-mail and browsing, etc. They can use the 3g/4g system for their >>> iCloud needs. >>> > >>> > iCloud is really a very inefficient solution to a problem I didn't >>> know existed until my daughter subscribed and put a half dozen >>> devices on it. >>> > >>> > Any information or suggestions will be appreciated. >>> > >>> > >> http://support.apple.com/kb/ts1629 > > I had not seen that page but scanning through it the most likely > candidate is port 443 which I had seen elsewhere. However I see no > simple way of closing that port in DD-WRT. Closing it in iptables on > this computer wont stop iCloud to the Macs, etc. I tried blocking > several ip addresses I found Googling but that was not enough, perhaps > not a complete list? > Dropping 443 will also break all your other HTTPS connections. (You probably shouldn't do that.) -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb Don't CC me! I'm subscribed to whatever list I just posted on. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 04/09/2013 02:46 PM, Bob Goodwin - Zuni, Virginia, USA wrote: I had not seen that page but scanning through it the most likely candidate is port 443 which I had seen elsewhere. However I see no simple way of closing that port in DD-WRT. Closing it in iptables on this computer wont stop iCloud to the Macs, etc. I tried blocking several ip addresses I found Googling but that was not enough, perhaps not a complete list? It also mentions 5523, Apple Push Notification Services. Dropping that at the router may do what you need. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 09/04/13 17:26, Ed Greshko wrote: On 04/09/13 23:12, Bob Goodwin - Zuni, Virginia, USA wrote: > > Can anyone tell me how to block Apple iCloud in my router? I've tried filtering icloud.com as mentioned in Google but it still downloads at about 3GB per hour, a rate that would use up my month's allocation in about 8 hours! There seems to be a dearth of information on Google on the subject although it is a recognized problem. > > Presently I am forced to block all the Apple devices on my LAN. I would like to be more selective and allow them other functions, e-mail and browsing, etc. They can use the 3g/4g system for their iCloud needs. > > iCloud is really a very inefficient solution to a problem I didn't know existed until my daughter subscribed and put a half dozen devices on it. > > Any information or suggestions will be appreciated. > > http://support.apple.com/kb/ts1629 I had not seen that page but scanning through it the most likely candidate is port 443 which I had seen elsewhere. However I see no simple way of closing that port in DD-WRT. Closing it in iptables on this computer wont stop iCloud to the Macs, etc. I tried blocking several ip addresses I found Googling but that was not enough, perhaps not a complete list? -- http://www.qrz.com/db/W2BOD box10 Fedora-18 XFCE Linux -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Off Topic - Block iCloud -
On 04/09/13 23:12, Bob Goodwin - Zuni, Virginia, USA wrote: > > Can anyone tell me how to block Apple iCloud in my router? I've tried > filtering icloud.com as mentioned in Google but it still downloads at about > 3GB per hour, a rate that would use up my month's allocation in about 8 > hours! There seems to be a dearth of information on Google on the subject > although it is a recognized problem. > > Presently I am forced to block all the Apple devices on my LAN. I would like > to be more selective and allow them other functions, e-mail and browsing, > etc. They can use the 3g/4g system for their iCloud needs. > > iCloud is really a very inefficient solution to a problem I didn't know > existed until my daughter subscribed and put a half dozen devices on it. > > Any information or suggestions will be appreciated. > > http://support.apple.com/kb/ts1629 -- From now on, at least during winter time, Im going to blame all spelling an grammar erros on the cat sitting on my chest every time I sit down at the computer -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Off Topic - Block iCloud -
Can anyone tell me how to block Apple iCloud in my router? I've tried filtering icloud.com as mentioned in Google but it still downloads at about 3GB per hour, a rate that would use up my month's allocation in about 8 hours! There seems to be a dearth of information on Google on the subject although it is a recognized problem. Presently I am forced to block all the Apple devices on my LAN. I would like to be more selective and allow them other functions, e-mail and browsing, etc. They can use the 3g/4g system for their iCloud needs. iCloud is really a very inefficient solution to a problem I didn't know existed until my daughter subscribed and put a half dozen devices on it. Any information or suggestions will be appreciated. Bob -- http://www.qrz.com/db/W2BOD box10 Fedora-18 XFCE Linux -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
