[kwlug-disc] Blocking Bittorrrent
Chris Irwin
chris at chrisirwin.ca
Mon Nov 16 21:22:40 EST 2015
On Mon, Nov 16, 2015 at 08:41:50PM -0500, Paul Nijjar wrote:
> I could take a page out of Rogers's playbook and attempt to slow down
> all encrypted traffic (or even block it all, which is pretty evil but
> would make web surfing and SSH inconvenient).
"Inconvenient" is the understatement of the year, considering SSL is a
requiement for pretty much any site doing authentication now :)
> I am not sure whether pfSense could even identify encrypted traffic,
> but some L7 filtering might make it possible. I could potentially
> allow encrypted traffic over a few ports (22, 443, whatever SMTP uses)
Granted, I usually have a side of my firewall I can consider "safe", but
this is the best solution I can think of, as well.
Remember, you'll want to add some "non-ssl" ports to your encrypted
whitelist as well. For example, SMTP can do STARTTLS to encrypt traffic
over port 25.
Also, I think torrent clients default to "prefer" encryption. So if
you're doing L7 filtering, don't forget to actually check for plain text
torrent traffic as well.
> [...]but then Bittorrent just will use 443 again.
I don't think this would matter, because you'd be filtering based on
remote port. When you go to an SSL site (google:443), your browser's
outgoing connection is from some random local port (laptop:56789).
For bittorrent to match your whitelist rules, the *remote* would have to
be using port 443.
> I have been poking around on the Internet, but have not found any good
> suggestions thus far. Can you help me be evil?
Remember, no matter how hard you try, you'll never be 100% evil. There's
always VPNs, tunnels, and clever people with more time and curiosity
than either of us probably have.
--
Chris Irwin
email: chris at chrisirwin.ca
xmpp: chris at chrisirwin.ca
web: https://chrisirwin.ca
More information about the kwlug-disc
mailing list