Celebrity advice on keeping your Linux desktop secure
Posted by: Anonymous
on February 03, 2008 04:52 PM
p2p uses UDP, once a UDP connection has been established through the firewall with one computer, any other computer can use that same connection. This is the secret of how p2p accomplishes it's magic. I use the word connection advisedly since uber geeks will tell you, it's not really a connection since UDP is stateless. But looking at it from the point of view of the firewall, it is for all intents and purposes a connection, but one which lacks ownership. Thus you have this huge gaping hole that you yourself have created by initiating the p2p. The traffic that you see is a normal consequence of the ~sharing~ and may not necessarily be a bad thing, it's just other people trying to p2p with you which is how the system is supposed to work.
There are only two ways you can protect yourself, the first way is simply 'not to play'... (how about a nice game of chess?) the second way is to dedicate a computer to the p2p function. make sure there is nothing else at all on that computer except for what you intend, and furthermore make sure that you don't trust that computer to be able to access any of your other computers. Your other computers can talk to it (remote control or file shares -- sshfs is good), but it can't talk to them. Now you create two LANs, the first LAN is connected directly to your DSL and contains a connection to your DMZ p2p computer plus a connection to a NAT box. Now put the rest of your computers behind the NAT box. this is basically what Linus has described above. And for crimminy sakes, don't run p2p from any but the DMZ computer. otherwise you just wasted your time/money on the NAT because you will create a hole in it as well. also don't trust anything that you get from p2p it is a major source of trojanhorse spambot viruses -- codeslinger (compsalot)