Help blocking p2p traffic on home network.

Discussion in 'Mac Apps and Mac App Store' started by Boydbme, Oct 7, 2010.

  1. Boydbme macrumors member

    Boydbme

    Joined:
    Jan 30, 2008
    #1
    Hey guys,

    Here is the situation. my family has someone staying with them our house who is basically addicted to internet pornography. They will be here for a while as they have hit a rough patch in their life and we are trying to help them out.

    We already had a block set up with openDNS to effectively block all web sites through our router (apple time capsule) but that doesn't do anything to block p2p file sharing and our guest has figured this out. I discovered this because they are not too computer literate and all of their downloads from limewire and frostwire ended up showing up in their itunes shared library.

    A few things:

    - yes, we have already spoken and asked them to not download porn in our house
    - the guest has expressed a desire to have these protections in place for their own sake.
    - I know we can and have temporarily blocked them from the router using MAC address filtering.

    My desire is to be able to effectively block p2p traffic on my home network. OpenDNS has the webpages on lockdown, so p2p is the only free-range that I or our guest know of. At the very least I would like some way within OS X to monitor ALL traffic requests on the network so that I can enforce actions such as blocking all access if our guest gets more covert about their actions.

    Are there any tools out there for the consumer market to lock down p2p traffic on a mac? Preferably something that affects the entire network and not just one computer connected to it?

    **please, even if you object to blocking traffic or don't see an issue with internet pornography, the underlying issue is the desire to block traffic as a technical question. please don't feel the need to troll if your viewpoint on this issue is different than mine. thanks!**
     
  2. Mal macrumors 603

    Mal

    Joined:
    Jan 6, 2002
    Location:
    Orlando
    #2
    What type of router are you using? Some routers have that built-in, on most others you can block the ports typically used (and if the person in question isn't tech-savvy, they may not be able to work around that).

    jW
     
  3. psiconoclast macrumors newbie

    Joined:
    Sep 28, 2010
    #3
    DISCLAIMER: I've not done this on an Airport/Time Capsule.

    In the DHCP settings for your router, there should be a range of addresses available. Normally this is something like 192.168.1.### where valid addresses for the last octet are 1-255. Make sure that the the range is limited (say 1 to 100) so that there are guaranteed addresses that will not be assigned.

    Identify the p2p software being used, and use The Google to figure out the ports most commonly identified with those p2p protocols.

    Forward those ports (TCP and UDP) to an unused address (IE 192.168.1.101).

    If your guest isn't too technically savvy, this approach will most likely put a pretty good cramp in their style.

    Oh, and as to the "ethics" of traffic blocking, I'm opposed to it when done by governments and ISPs, but this is your house, OP, and you are footing the bill (not to mention on the hook for any RIAA/MPAA nastygrams), so you are well within your rights to block as you see fit, IMHO.
     
  4. blomma macrumors member

    blomma

    Joined:
    Apr 13, 2010
    #4
    The problem is that most p2p traffic can occur over any port, so trying to proactively block ports might be a bit of a fools errand. You might try disabling any port over 1024 instead since anything over that isn't privileged and could be used for p2p. But you might want to look into assigning a fixed ip address to his computer locked to his mac address. This can easily be done in airport/time capsule.

    *EDIT* the more i think about it i think @psionclast is on to it. But instead of nitpicking every port just route everyting above 1024 into a an unused address. This will ofcourse then have the side effect of blocking it for everyone else, but unless you are using a software that communicates on a port above that, games most likley, then it might not matter all that much. And you always have the option of opening up those anyway for specifik ip addresses. But i would nevertheless start to assign fixed ip addresses to mac addresses, this should make tracking easier also since you would know which ip address belongs to which computer.

    Basically you are a bit limited in choise since what you would need is a firewall to configure for the entire network, you could of course enable the firewall on his computer and use somthing like http://www.hanynet.com/noobproof/ to configure it.

    *EDIT*
     
  5. mulo macrumors 68020

    mulo

    Joined:
    Aug 22, 2010
    Location:
    Behind you
    #5
    most torrents use ports 40000-60000 block those
     
  6. psiconoclast macrumors newbie

    Joined:
    Sep 28, 2010
    #6
    I think that blomma and mulo make good points.

    Just block everything above 1024, and then selectively unblock if you have specific tools (games, IM, etc.) that stop working.

    Depending on how long your guest will be staying, and what your opportunity cost of messing with this stuff is, you might want to consider getting a hardware firewall to place in between your Time Capsule and your broadband connection. They can be picked up for a fairly modest price (good dedicated firewalls may start around $100, but there are cheaper options too), and give extra protection and a LOT more control over your network.
     
  7. Boydbme thread starter macrumors member

    Boydbme

    Joined:
    Jan 30, 2008
    #7
    thanks for the replies!

    I have a time capsule router. I'll look into blocking ports and then unblocking selectively.

    any specific reason that someone couldn't set the ports of a program to something below 1024? Are all of those ports dedicated to other things? Sorry if thats a noob question. I'm fairly proficient with computer but advanced networking was never taught to me.
     
  8. psiconoclast macrumors newbie

    Joined:
    Sep 28, 2010
    #8
    http://www.iana.org/assignments/port-numbers

    That's the official list of the port assignments/designation.

    It is certainly possible (and it happens) for programs to disregard this map, but in practice the p2p stuff will stop working, because the other participants clients will most likely not connect in those ranges.

    There are some exceptions, though: There are proxy services designed for filesharing, and if your guest signs up for one of them, they can connect to the proxy service at one of those lower ports, and from there wind up "wide open" to download.

    The bottom line is that it is almost impossible to keep someone from something on the Internet - if your guest is serious about honoring your wishes while living under your roof, the above should be enough. If they are just shining you on, though, and plan to keep at it, then you are only going to slow them down unless you plan to take on a second job as a network security admin.

    Good luck.
     
  9. Hastings101 macrumors 68000

    Hastings101

    Joined:
    Jun 22, 2010
    Location:
    K
    #9
    You could stop the P2P networks the old fashioned way - taking the computer away :)
     
  10. UpDownAeroplane macrumors member

    Joined:
    May 21, 2010
  11. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #11
    Why?
     
  12. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #12
    Download Noobproof. It is a GUI for the packet filtering firewall, ipfirewall (not the application firewall in system preferences), that offers outgoing and incoming filtering.

    Use Noobproof to configure ipfirewall to block traffic both ways except for all the essential ports that are required for your computer to perform all of its other necessary functions. There is a utility within Noobproof that lists all the common ports and their functions.

    Of course, this only works if that individual is using a Mac and you can access their system. LOL
     

Share This Page