Re: controlling p2p & bittorrent

[Mart Frauenlob <mart.frauenlob@chello.at>]

> On Sat, 31 Jul 2010 12:21:59 -0500
> green <greenfreedom10@gmail.com> wrote:
>
> > > Steven Piercy wrote at 2010-07-30 12:27 -0500:
> > > > >    so couldn't you use the uid of your fw/shaper process and apply
> > > > > the mangle method to all tcp connections through the fw?
> > >
> > > I don't understand.  Would not something like that include all
> > > connections?  I just want p2p/bittorrent...
> Not if you run the p2p daemon as a specific user ie 'deluge' etc.
> You can also setup a group for all your p2p software to use, which you
> can share to access the files, then use something like
> iptables -A OUTPUT -m owner --gid-owner p2p ....
>
> Of course it's far more useful to be able to match traffic on a router
> between the pc with p2p and the internets, but then its harder to match
> which pkts are p2p. If you trust the machine traffic is coming from
> then you could use xt_owner on the machine generating the traffic to
> accurately mark the p2p pkts then set the TOS bit or something so the
> router can easily identify which pkts are p2p.
> Alternatively if you have control over the box generating the p2p then
> using port based rules would be easier again.

To authenticate network connections across hosts one could use nuFW 
(http://www.nufw.org/ 
http://packages.debian.org/search?keywords=nufw&searchon=names&suite=all&section=main).

> I tried http://l7-filter.sourceforge.net/ without my success, there is
> also http://www.ipp2p.org/ but i think that is no longer maintained and
> I haven't tried it.

That's now in xtables-addons (http://xtables-addons.sourceforge.net/ 
http://packages.debian.org/search?keywords=xtables-addons&searchon=names&suite=all&section=main) 
as module called ipp2p.

> In my experience I've found guessing p2p traffic on simply large udp
> pkts is more successful than these filters, especially now most p2p
> clients support encryption etc.

Best regards

Mart