blocking spotify with pf

Greg Hennessy Greg.Hennessy at
Fri Aug 19 10:44:55 UTC 2011

> Recently it has come to our attention that bandwidth has become an issue
> with increased spotify usage throughout the company. Im looking for a way
> to block access to it in pf. the rule that i am trying is the following:
> table <spotify> {, }
> block return in quick on $int_if proto tcp from to <spotify>
> port 4070
> For whatever reason it showing that the rule is working but not really
> working. am i missing something?

Yes, stop trying to plug a leak in a colander by using a match stick. 

Block by default by starting the policy with 

	Block log all 

And only allow routed egress to the specific sites and services which are directly related to a valid business requirement, 
Run all browser traffic through a proxy server to categorise and inspect the content, permitting internet access from the proxy to 80 and 443/tcp only. 

For a business that describes itself as 'advanced e-commerce' you guys should know this already, this is not rocket science. 

With an open door flapping in the breeze as suggested above. If I was to speculate, I would suggest that Spotify is the least problem you should worry about right now. 



More information about the freebsd-pf mailing list