Re: blocking kazaa

To: Fadel <fadel@siteplanet.com.br>
Cc: "debian-firewall@lists.debian.org"@plutao.siteplanet.com.br, <debian-firewall@lists.debian.org>
Subject: Re: blocking kazaa
From: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>
Date: Wed, 20 Nov 2002 01:09:23 +0100 (CET)
Message-id: <Pine.LNX.4.44.0211200046520.21823-100000@cicero.axis.se>
Reply-to: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>
In-reply-to: <200211191504.gAJF43aL014837@plutao.siteplanet.com.br>

On Tue, 19 Nov 2002, Fadel wrote:

> I got a trouble in my network while trying to block Kazaa.
> I tried to drop port 1214 with this rule:
>
> iptables -A FORWARD --dport 1214 -j DROP
>
> but this doesn't work.

Right, that's not enough :(

> so I did sniffing to see what kind of packets and
> ports kazaa uses and I saw that it searches for servers in different ports.
> later, I read in various texts around the net, but all recommend to block
> port 1214 and kazaa site. this probably worked in version 1.
>
> how could I block kazaa, since I need accept connections in high ports?

Hey, it's a hack. But it's mine :=) (not knowing better :( )

Daemonized ngrep:

  ngrep -l -q -t -d eth0 -i 'kazaa' >> <some log file>

and added a cron job that parses the log file looking for UDP packets
that include the string kazaa (caseless) in the first 16 bytes. Rip
the ip-address and:

  route add -host <host-ip> reject

or

  ip route add blackhole <host-ip>/32

in a few words (the script is longer).

You could look for the strings 'kazaa' and 'super.*server' on TCP
packets, to catch a few more.

Cheers,
Cristian

Reply to:

References:
- blocking kazaa
  - From: "Fadel" <fadel@siteplanet.com.br>

Prev by Date: Re: blocking kazaa
Next by Date: Re: policy DROP and 1 rule
Previous by thread: Re: blocking kazaa
Next by thread: Re: blocking kazaa
Index(es):
- Date
- Thread