From owner-freebsd-ipfw@FreeBSD.ORG  Fri Jun 17 19:56:21 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2C84B16A41C
	for <freebsd-ipfw@freebsd.org>; Fri, 17 Jun 2005 19:56:21 +0000 (GMT)
	(envelope-from cswiger@mac.com)
Received: from pi.codefab.com (pi.codefab.com [199.103.21.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F035C43D1D
	for <freebsd-ipfw@freebsd.org>; Fri, 17 Jun 2005 19:56:20 +0000 (GMT)
	(envelope-from cswiger@mac.com)
Received: from localhost (localhost [127.0.0.1])
	by pi.codefab.com (Postfix) with ESMTP id 5A4DE5DA4;
	Fri, 17 Jun 2005 15:56:20 -0400 (EDT)
Received: from pi.codefab.com ([127.0.0.1])
	by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 78215-05; Fri, 17 Jun 2005 15:56:19 -0400 (EDT)
Received: from [192.168.1.3] (pool-68-161-66-3.ny325.east.verizon.net
	[68.161.66.3]) by pi.codefab.com (Postfix) with ESMTP id 6C0645C47;
	Fri, 17 Jun 2005 15:56:19 -0400 (EDT)
Message-ID: <42B32B60.5060208@mac.com>
Date: Fri, 17 Jun 2005 15:58:24 -0400
From: Chuck Swiger <cswiger@mac.com>
Organization: The Courts of Chaos
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.7.8) Gecko/20050511
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Alexandre D." <alexandre.delay@free.fr>
References: <MAEBLPAGHGPMOKCBICBNMEDJCGAA.alexandre.delay@free.fr>
In-Reply-To: <MAEBLPAGHGPMOKCBICBNMEDJCGAA.alexandre.delay@free.fr>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: amavisd-new at codefab.com
Cc: freebsd-ipfw@freebsd.org, Gilberto Villani Brito <linux@giboia.org>
Subject: Re: Pipes.
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2005 19:56:21 -0000

Alexandre D. wrote:
> The answer is not so easy.
> P2P is not only based on port numbers.
> The P2P detection is quite difficult, and maybe impossible.

Not at all.  Start with "deny all", and only allow stuff through which you 
really need to allow.  Blocking all outbound client traffic and requiring them 
to go through a proxy on the LAN is adequate.

> My own position is that ipfw is not able to block P2P

Besides, the word was "control".  You can shunt all high-priority stuff (NTP, 
DNS, ICMP) into one queue, and put HTTP, FTP, 6667, etc on a low-priority queue 
via dummynet, and/or adjust the permitted bandwidth.

-- 
-Chuck