Effectively blocking MSN and P2P


This document explains how to effectively block MSN and P2P at your home or
work network provided you’re using a linux gateway for internet connectivity.

These blocks can be disabled for some computers based on its network card MAC address. Keep reading to know how.

Several approach exists for blocking MSN/P2P networks. Some of these are:

* blocking incoming/outgoing ports (using both IP-based and program-based firewalls)
* prevent users from installing the software (using Windows access rights, for example)
* blocking access to some websites using a proxy server

Each one of them has its advantages and disadvantages. Unfortunately there is no fail-proof method to block P2P/MSN. Yet, you can combine several mothods to achieve a very high level of protection.

That being said, I will provide here the steps to setup a MSN/P2P block using shorewall (an iptables frontend) and a squid transparent proxy. For this guide will suppose your LAN ( interface is eth1 and your Internet interface is eth0.


What you’ll need:

* a linux NAT gateway (a very common method to provide internet connectivity for private networks)
* shorewall, which is platform-independant (made in base) so very easy to install. Universal RPMs provided in the main page
* squid, which is a very common web proxy and comes bundled in most linux distribution nowadays

Using only a firewall approach doesn’t work because both MSN and P2P clients can use connect using port 80, which is the same port used for HTTP transport (web pages) and hence, it can’t be blocked. Plus, there are now dozens of free web clients for MSN which can be used only with your browser and doesn’t requiere any program at all to be installed.

Read more at vampiroz.org


One response to “Effectively blocking MSN and P2P

  1. Hi!

    Actually you can effectively block MSN and P2P or any other program that you want to block by using the layer 7 filtering (application layer), you can actually implement this transparently to end user by just plugging the filtering server as brige to your gateway (or make it as a gateway if you have time to spend if you got into trouble as you need to apply the rules of your existing gateway). You can try out untagle if you can’t afford for the appliance one.

    Good luck!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s