Welcome to the MacNN Forums.

Scotttheking · 12:59 AM

Here's my problem: My brother is a pirate. I've been able to keep him in check by taking away computer access if he DLs stuff, but I just found out today he's getting his own computer as a gift.

I've been trying to learn this myself, and wasn't in a major rush, but now that he's getting a new computer, I need to a) block the p2p apps, b) limit his bandwidth overall, and c) setup some traffic shaping so that websurfing is of lower priority then my server.

What I have:
I've got ADSL, a linux router, and a linux squid proxy.

What I'd like to setup: I want him to have normal web surfing, gaming ability, AIM, etc. But I don't want p2p apps to work, or him to be able to DL a ton of stuff by any other means, and I want to keep his bandwidth lower, as well as not let the surfing that I know will happen as soon as he gets net access reduce server bandwidth.
I also wouldn't mind limiting his monthly transfer rates.

Any help is greatly appreciated. Thanks.

Edit: Removed a double negative.

dreilly1 · 09:17 PM

I'm not sure about the traffic shaping and bandwidth limiting (I'm looking for info on these myself, if you find any, please let me know).

I also am not a big user of p2p apps, but I imagine they each use their own, dedicated port. You can use iptables for 2.4 kernels (or ipchains for 2.2 kernels) to explicitly block those ports. You are probably firewalling some of this at the router already. You could add rules to block the traffic on those ports originating from his machine as well.

This, however, is obviously not the best solution, because each port is either full on or full off. Bandwidth limiting will help, but as I said, I don't know how to do that yet...

edit: Google is wonderful! It found this:
http://www.tldp.org/HOWTO/Bandwidth-...WTO/index.html
http://en.tldp.org/HOWTO/Adv-Routing-HOWTO/index.html

ghporter · Mar 1, 2003, 10:18 AM

Your Linux router may have the option of blocking ports for specific clients (connected computers). If so, block everything but port 80 (HTML), 110 (POP3-incoming mail), and 25 (SMTP-outgoing mail). AIM can use port 80 (if the user knows where to find that in the setup), and he can check web mail, surf, etc.

You have every right to keep someone in your household from bringing the RIAA, MPAA, and the software industry down on your family through massive downloading of illegal files; the FBI investigates piracy, and can impound EVERY COMPUTER IN THE HOUSE if they start a case on your brother. You're acting in self defense. You should also inform whomever is giving your brother the computer that he's ben engaging in illegal activities with computers already, and that you need help to keep him from continuing this practice.

kampl · Mar 4, 2003, 11:22 PM

Some P2P protocols are kinda dumb like gnutella for instance if it is not modified bt the end user. However things like Kazaa are quite smart and not easily filtered. I have been working on trying to rid an organization of Kazaa traffic for some time now, and the more I block things the more vexing it becomes. I've run several sniffer traces to try and figure out what exactly it is doing and how it behaves but it contiunes to work despite my and my collegues' efforts. I'd like to hear anyone else's experience with Kazaa filtering short of a signature based device that sees the Kazaa signature in traffic and sends resets to both hosts to close the connection. Which do exist.

Scotttheking · Mar 5, 2003, 12:58 AM

At this point I'm now thinking of setting my firewall to reject all outgoing, then open for IPs that my machines have, and for him keep it locked down. Then route FTP and HTTP through proxies which will have access control and bandwidth limiting through them.

That should work fine, right? Or will p2p just be able to run through the http proxy?
Sorry for the dumb questions, I wasn't planning on rebuilding my network quite yet and I don't know much about networking.

I'm glad I don't have to worry about kazaa, (there's no mac version is there?) but it sounds like stateful matching is your best bet. If I see anything I'll let you know.

ghporter · Mar 5, 2003, 02:45 PM

Your plan, as long as it does include bandwidth limiting, should work. The limiting is crucial, because of the number of "smart" P2P programs out there. I would be surprised if there isn't a Kazaa client for Macs out there. Also note that Kazaa is being targeted as a malware conduit-the virus writers and script kiddies are using its protocols to pass their nasty stuff.

One way limiting works is psychological; you get a connection, but it's frustratingly slow! I've also seen limiting software that allows X MB of data to be downloaded in a specified period of time. After that, BAM! no more data.

Good luck with your brother.

passmaster16 · Mar 6, 2003, 12:40 AM

Originally posted by Scotttheking:
At this point I'm now thinking of setting my firewall to reject all outgoing, then open for IPs that my machines have, and for him keep it locked down. Then route FTP and HTTP through proxies which will have access control and bandwidth limiting through them.

That should work fine, right? Or will p2p just be able to run through the http proxy?
Sorry for the dumb questions, I wasn't planning on rebuilding my network quite yet and I don't know much about networking.

This should work. In my experience, with the right setup, p2p apps won't be able to run through the http proxy.