Root » FreeBSD » P2P Firewall

Peer to Peer Firewall

Howto setup a peer to peer firewall on FreeBSD with the ip blocklist from peerguardian v1 to deal with corrupt files on the P2P networks.

This howto is under construction. Currently only the summary is done. Please check in later date to see how this howto progesses.

Introduction

Notes

This setup requeres a lot of resources. Posible side effects of using this setup are:

• reboot during the loading of the large firewall ruleset
• blocking internet packets under a high load

I've found it best to use it on the computer that runs the p2p application rather then a gateway. Selecting only the rules that you've found to acculy block packets and copy them to a gateway is also something that works for me.

Summary

1. install ports

   cd /usr/ports/archivers/unzip
   make config && make install && make clean
   

2. Download blockfetch.sh (fetching the lists) and blocklist.pl (transforming then into ruleset.

   cd /usr/local/sbin/
   fetch http://alex.kruijff.org/files/freebsd/blockfetch.sh 
   fetch http://alex.kruijff.org/files/freebsd/blocklist.pl
   chmod 744 blockfetch.sh blocklist.pl
   

3. Edit /usr/local/sbin/blockfetch.sh to select your lists
4. Initilize when you have changed blockfetch.sh

   /usr/local/sbin/blockfetch.sh
   /usr/local/sbin/blocklist.pl > /usr/local/etc/blocklist.conf
   

5. Test it to see if your computer can cope with the ruleset size. If it is succesful then you will see how long it took to load. It can take up to an hour. Your peer to peer program is not fully protected by the ruleset for this long afther the reboot. So you may like to wait this long before loading your P2P program. During the execution of this command you will see the rule numbers run from xxx00 to xxx64.

   /usr/bin/time /sbin/ipfw /usr/local/etc/blocklist.conf
   

6. Automate the fetch list and create ruleset process. Have crontab do these things every saterday at 20h by adding the following with command: crontab -e

   0	20	*	*	6	/usr/local/sbin/blockfetch.sh && \
   					/usr/local/sbin/blocklist.pl > \
   					/usr/local/etc/blocklist.conf
   

7. Automate the load ruleset in the background by downloading blockload.sh. This takes a long time. So to speed thing up the script checks which rules where trigged at the end of the day and saves these in an extra file. At the next boot this short list is loaded first. You can not rely on this as the whole list isn't loaded, but every little bit helps. The consequence it a slight performace improvement or packets matching these rules and loading these rules twice. You may like to use top to see how long it takes for you to load the ruleset.

   cd /usr/local/etc/rc.d/
   fetch http://alex.kruijff.org/files/freebsd/blockload.sh
   chmod 744 blockload.sh
   

© Copyright 2000-2006
terms of use / algemene voorwaarden