[kwlug-disc] Blocking Bittorrrent

Chris Irwin chris at chrisirwin.ca
Mon Nov 16 21:22:40 EST 2015


On Mon, Nov 16, 2015 at 08:41:50PM -0500, Paul Nijjar wrote:
> I could take a page out of Rogers's playbook and attempt to slow down
> all encrypted traffic (or even block it all, which is pretty evil but
> would make web surfing and SSH inconvenient).

"Inconvenient" is the understatement of the year, considering SSL is a
requiement for pretty much any site doing authentication now :)

> I am not sure whether pfSense could even identify encrypted traffic,
> but some L7 filtering might make it possible. I could potentially
> allow encrypted traffic over a few ports (22, 443, whatever SMTP uses)

Granted, I usually have a side of my firewall I can consider "safe", but
this is the best solution I can think of, as well.

Remember, you'll want to add some "non-ssl" ports to your encrypted
whitelist as well. For example, SMTP can do STARTTLS to encrypt traffic
over port 25.

Also, I think torrent clients default to "prefer" encryption. So if
you're doing L7 filtering, don't forget to actually check for plain text
torrent traffic as well.

> [...]but then Bittorrent just will use 443 again. 

I don't think this would matter, because you'd be filtering based on
remote port. When you go to an SSL site (google:443), your browser's
outgoing connection is from some random local port (laptop:56789).

For bittorrent to match your whitelist rules, the *remote* would have to
be using port 443.

> I have been poking around on the Internet, but have not found any good
> suggestions thus far. Can you help me be evil?

Remember, no matter how hard you try, you'll never be 100% evil. There's
always VPNs, tunnels, and clever people with more time and curiosity
than either of us probably have.

-- 
Chris Irwin

email:   chris at chrisirwin.ca
 xmpp:   chris at chrisirwin.ca
  web: https://chrisirwin.ca





More information about the kwlug-disc mailing list