Geek Style

After web traffic, P2P consumes big amount of your invaluable bandwidth.
Once you block in, you will findout how much of your bandwidth was being wasted by P2P programs.

I managed to put up a simple access list (in FreeBSD ipfw format, but you can convert it to your favorite format easily) to block this sort of traffic, and the result was acceptable.

My /etc/ipfw.conf:

# kazaa - fasttrack clones
add deny tcp from any to any 1214
add deny udp from any to any 1214

# edonkey and clones
add deny tcp from any to any 4661-4672
add deny udp from any to any 4661-4672

# winmx and napster
add deny tcp from any to any 6257
add deny udp from any to any 6257
add deny tcp from any to any 6699
add deny udp from any to any 6699

# bittorrent
add deny tcp from any to any 6881-6889
add deny udp from any to any 6881-6889

# gnutella
add deny tcp from any to any 6346
add deny udp from any to any 6346

After applying above restriction, I saw a 10% drop on our traffic.

I was trying some hours to find a comprehensive list of known P2P protocols and their TCP/UDP ports, but I couldn’t. I guess no one has tried to make one yet.
I am thinking of making this list here, on my website, which would be very useful for network admins.
That would be a list of P2P protocols and their associated applications, as well as their Layer 4-7 information, to make them easier to control or block. It is a basic idea, and needs to be cooked well.

I would be happy to see your helpful comments on this subject.

I am not a linux guru, but if you are using linux as your network border router, you can block Nachi worm using netfilter (explained here).
But if you are running FreeBSD as your gateway, you should have IPFW2 (instead of standard ipfw in 4.x branch) in order to be able to filter 92 bytes ICMP packets.

pilot:~# ipfw add 50 deny icmp from any to any iplen 92
00050 deny icmp from any to any iplen 92

and then check if it works fine:

pilot:~# ipfw show
00050     10      920 deny icmp from any to any iplen 92
00100 300093 64940563 allow ip from any to any
65535      0        0 deny ip from any to any

So we caught 10 packets (920 bytes in total) after a short while.

iplen is only supported in IPFW2 which is enable by default in FreeBSD 5.x but you should enable it manually if you are using 4.x series.

ipfw man page explains more detailed information about new enhancements in ipfw2 and how to enable it in 4.x kernel:

ipfw2 is standard in FreeBSD CURRENT, whereas FreeBSD STABLE still uses ipfw1 unless the kernel is compiled with options IPFW2, and /sbin/ipfw and /usr/lib/libalias are recompiled with -DIPFW2 and reinstalled (the same effect can be achieved by adding IPFW2=TRUE to /etc/make.conf before a buildworld).

OpenBSD gurus may provide a solution to do the same using pf.

Steve Freidl has posted another useful tip to block spammers using Postfix.
It explains that many times spammers does not specify their real hostname in HELO or EHLO smtp commands, they use YOUR address instead! So you can easily block them using some simple rules in postfix to reject connections that identify theirself as you!
Read it here.