How to block P2P connections for "SOME USERS"????

[stlony]

Hello,
I want to block P2P programs for SOME USERS not all.
I tried to do it from the wingate firewall but it acte it for all users.
Here is scenario,
i Got 4 users
A,B,C & D
I want to be able to block A & B of using P2P programs, but make C & D able to use P2P programs.
Is there any way to do this? please help.

[logan]

There is a way by using policy to enforce port restrictions, instead of port security.

• Make a new user group for the users that should be allowed to use P2P.
• Navigate to GateKeeper -> System -> Extended Networking -> Policies
• Click add to make a new policy for Everyone
• Go to the Advanced tab and select 'specify which requests this recipient as rights for'
• Click add filter, then add a criterion to that filter stating
  - This criterion is NOT met if
  - Server port number
  - equals
  - xxxxx
• Add a new criterion to the filter for each of the ports that you want to restrict users from accessing that should not be using P2P
• Then add a second policy, this time for the user group that IS allowed to access P2P. Enforce no restrictions on this group.

This isn't a great guide or example, but it should demonstrate how you can use Policy to control port access.

[stlony]

Thanks Logan,
But when some body use P2P i found alot of ports opened by Nat service i could not found which program he uses and which is the main ports that the program connect so if you found a solution for this it will be better.

So i added reules with the allowed ports not the blocked ports to be like that:
- This criterion met if
- Server port number
- equals
- Allowed ports

It work fine for P2P connections but i had another problem by this config "ping disabled (ICMP connections)" i want to add a rule to make user allowed to ping but i could not find such this description in the criterion list. How can i do this?

[logan]

Sounds like you've already twigged as to "how best to block P2P". I can confirm that it is impossible to block recent P2P technologies using a blacklist approach, like torrenting for instance. Torrents do not have a server that everyone has to connect to, so there is no port or IP address range that can be blocked to stop torrenting. In addition, the ports used by Torrent clients is custom set by the local user, and does not follow any standard pattern. It's impossible to guess what ports to block, and even if you could, the user can very easily change the port and bypass the block, and it's unlikely that all users are configured the same way on the same port. Therefore the solution you have implementing a whitelist of allowed ports, is the ONLY solution that is effective against P2P in my humble opinion.


As for allowing pings, try using "This criterion is met if IP Protocol Numer equals 1"

IP Protocol 1 is ICMP (Ping)

[stlony]

Dear Logan,
You are genius you got what i am talking about. also you give me the correct method to allow ping, Everything is working fine. Finally i can bloack any user i want from useing the P2P programs, just i add him to the group but there is another request to complete the Rule. Where can i found a list of common Program used ports? (To allow them all once)
Thanks Logan

[logan]

Ah, now I had a link to something like that.... and here it is. This is a list of all the Well Known (0 to 1023), Registered (1024 through 49151), and Dynamic/Private ports (49152 through 65535) as of 2008-09-26. It's a bit confusing when you first scan through it, but have a read an I'm sure you will get the gist of it. Also, the page is VERY long, so give it some time to download entirely, or better yet, save it to your local hard drive.

http://www.iana.org/assignments/port-numbers



These are the basic ports that need to be considered. With these ports open, your clients will be able to browse the internet and check their email. The cornerstones of the internet. Anything over and above these ports is ultimately up to your discretion.

• TCP/UDP 67 - DNS (only needed if your clients point to an external DNS server)
• TCP 80 - HTTP (only needed if port 80 is not being intercepted by the WWW Proxy server)
• TCP 443 - HTTPS
• TCP 25 - SMTP
• TCP 110 - POP3
• TCP 143 - IMAP4