blocking spotify with pf
Greg Hennessy
Greg.Hennessy at nviz.net
Fri Aug 19 10:44:55 UTC 2011
> Recently it has come to our attention that bandwidth has become an issue
> with increased spotify usage throughout the company. Im looking for a way
> to block access to it in pf. the rule that i am trying is the following:
>
> table <spotify> { 78.31.8.0/22, 193.182.8.0/21 }
> block return in quick on $int_if proto tcp from 192.168.1.0/24 to <spotify>
> port 4070
>
> For whatever reason it showing that the rule is working but not really
> working. am i missing something?
>
Yes, stop trying to plug a leak in a colander by using a match stick.
Block by default by starting the policy with
Block log all
And only allow routed egress to the specific sites and services which are directly related to a valid business requirement,
Run all browser traffic through a proxy server to categorise and inspect the content, permitting internet access from the proxy to 80 and 443/tcp only.
For a business that describes itself as 'advanced e-commerce' you guys should know this already, this is not rocket science.
With an open door flapping in the breeze as suggested above. If I was to speculate, I would suggest that Spotify is the least problem you should worry about right now.
More information about the freebsd-pf
mailing list