Block P2P seems like mission impossible
I have one machine running Pfsense it´s working as gateway and also doing the PPPoe connecting to my ISP.(wan PPPoe)
I am trying to block all P2P(all is very hard but at least the most common) ,i am using snort and i checked the snort rulles and the correct ports to block are configured ad block offenders is enable.But it does not block everything it blocks the P2P Upload (in the emule case) but it does not block the download. >:(
I allready read somewhere in the forum that some P2P use also htttp does this mean it's a mission impossible to compleatly block it. ???
you could proxy the http connections, that should block out the p2p apps trying to use that port, or you could write something like Checkpoints Smartdefense for pfsense ;)
There's no way to completely block P2P, even if we did have something like CheckPoint SmartDefense, because a lot of P2P apps now can encrypt their traffic and run over common ports, so it looks no different from say HTTPS or a VPN connection.
The unencrypted ones should be blockable with snort, but I'm not familiar with that.
The snort package has some p2p detection rules. In combination with the block offenders checkbox you can shut some of this traffic down (unless it's using the "stealth" techniques cmb already mentioned).
I have tried to use snort to block p2p but often the first ip in the alert is my wan IP. (which is white listed) Is it possible to have snort block both IPs in the alert?
Have you looked into a packet shaping appliance. I'm not sure if you want to spend much money, but shaping can at least help control P2P. You can get something like a netequalizer for a few thousand dollars.
We don't want to slowdown the p2p we want to stop the most common apps from working at all. It seems that snort would be perfect for this if only it could be set to block both the src and dst ips when an alert is generated.
using traffic quota for every user, and if the traffic exceed the quota then his internet will be blocked or slow down to minimum bandwidth.