Date: Fri, 19 Aug 2011 11:33:57 +0100 From: Greg Hennessy <Greg.Hennessy@nviz.net> To: Tim Salvador <salvador@cleverbridge.com>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: RE: blocking spotify with pf Message-ID: <9EB23F6C23A8B6488E8BCC92A48E83261277D43E76@PEMEXMBXVS04.jellyfishnet.co.uk.local> In-Reply-To: <17390d5c-d9ec-4594-ad53-abaf6cd91135@jenny> References: <50952547-ec21-41a5-b54d-0d7466a6dcd6@jenny> <17390d5c-d9ec-4594-ad53-abaf6cd91135@jenny>
next in thread | previous in thread | raw e-mail | index | archive | help
> Recently it has come to our attention that bandwidth has become an issue
> with increased spotify usage throughout the company. Im looking for a way
> to block access to it in pf. the rule that i am trying is the following:
>
> table <spotify> { 78.31.8.0/22, 193.182.8.0/21 }
> block return in quick on $int_if proto tcp from 192.168.1.0/24 to <spotify>
> port 4070
>
> For whatever reason it showing that the rule is working but not really
> working. am i missing something?
>
Yes, stop trying to plug a leak in a colander by using a match stick.
Block by default by starting the policy with
Block log all
And only allow routed egress to the specific sites and services which are directly related to a valid business requirement,
Run all browser traffic through a proxy server to categorise and inspect the content, permitting internet access from the proxy to 80 and 443/tcp only.
For a business that describes itself as 'advanced e-commerce' you guys should know this already, this is not rocket science.
With an open door flapping in the breeze as suggested above. If I was to speculate, I would suggest that Spotify is the least problem you should worry about right now.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9EB23F6C23A8B6488E8BCC92A48E83261277D43E76>