Block or filter inter-LAN DAAP traffic



  • I have pfSense sitting behing my DSL modem used as a border firewall. I have 3 NIC's providing 3 seperate subnets. I want to block or filter all inter-LAN DAAP traffic like ITunes sharing on one of the segments. Is this possible with pfSense or one of the additional packages that are available?



  • How about SNORT IPS? Can this application be used for inter-LAN filtering?



  • Block port 3689/TCP between subnets and you'll block the DAAP protocol. You don't need anything as heavy as Snort.



  • OK I did that and it's working.

    How could I block this port for all traffic within the LAN? Is there a switch I could add that could do this? I'm not too familiar with IDS/IPS technology like Snort and others but Is there some way I could build a box that could do this type of filtering for traffic within the LAN itself not just outbound or LAN to LAN traffic?



  • Within the LAN? You'd need to use a managed switch with some filtering capability (not cheap) or otherwise ensure that all traffic goes through the firewall (which will be a massive performance impact on the LAN traffic). This is a seriously non-trivial task and is probably better undertaken by user education.



  • Can this be done with a device like the MikroTik RB250GS?

    I found an example where they are blocking MSN Messenger.

    http://wiki.mikrotik.com/wiki/How_to_block_MSN_Messenger



  • That entry is for their firewall products, not their switch. If you review their SwOS guide you'll see there is no port level filtering on the switches. You're looking to something much higher end, more like Cisco's IOS, though their lower end switches may support it too.


Log in to reply