On Monday 22 May 2006 03:26, Andrew Beverley wrote: > Jason Boxman wrote: > > On Sunday 07 May 2006 19:43, Andrew Beverley wrote: > >> After varying degrees of success with p2p detection modules, I would > >> like to write the following rules using iptables to reliably identify > >> p2p traffic: > > > > <snip> > > > >> On my network all p2p traffic falls into these categories, and I don't > >> mind overmatching with other traffic. > > > > If you can, you could look into compiling and using ipp2p against your > > kernel. I find it works extremely well with my p2p traffic from edonkey > > protocol(s). You may have success with L7-Filter, too. You can probably > > use both at the same time, but I've never tried as ipp2p works for me. > > Thanks - I tried both ipp2p and l7-filter. I found that on the whole > they worked well, but on the network of 50 clients there was always a > couple that it didn't detect. I also wanted to put something in place > that didn't need upgrading - if and when I move on someone will have to > keep updating ipp2p and l7-filter on the server. There is an alternative method that i've used and is infallible detecting p2p. Find out what is *not* p2p traffic in your network and give it the appropriate bandwidth/priority. Then the rest will be p2p traffic. This is the same approach used to build firewall rules, which is close all traffic and start open ports/protocols till all works ok. So at first maybe there will be some false positives, but with yours clients feedback and a Little of network analysis all goes to the right place. Some clues on what is not p2p: - packets with size<100bytes - tcp ports 80,21,22,25,110 and so on... - all udp, some p2p protocols use it for control but AFAIK is not used in data transfers, and if it is, you can still use a size rule ie: udp<900bytes - other protocols as icmp igmp esp... -- Luciano _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
