this could be the best way, but here's my situation:
I am in a student house, lots of 'I don't care' people here, who 'abuse' the internet.
I myself am a student who likes to use the internet for browsing, fun, and school, also for downloading but at night when nobody needs the internet. The housekeeper allowed me to install a server and operate it (by using putty, so no physical access) to control the internet, since every year there are problems with students not obeying the 'rules' although everyone is clearly informed (every year there are multiple meetings with all students, and the network/internet subject is treated there too).
So, we could state that everyone is well educated about the topic. This doesn't help, so you talk about punishing: I cannot disconnect anyone physically from the network, nor do I have the time to monitor the internet traffic, let alone analyse it.
Blocking legitimate traffic: House rules state the internet is used only for school purposes (which of course is very outdated, but it's in the rules). Also since I have access to the server through putty, I can open any port I want, at any time. When I first installed the server people came to me about applications not working, e-mail etc., all problems which have been solved by now.
I really understand your advice and I appreciate it, also would apply it if I had the correct means to do so. Furthermore, there's more people who appreciate the current policy then those who dislike it!
The problem I spoke of in my first post was that someone was generating a lot of upload traffic, which severely slowed down the network. I spoke to this person in the meantime, and he said it was not a torrent but a problem with dropbox (which actually doesnt really change the core of the problem). I believe he was speaking the truth because he supports the server-thingy and supports me too.
@jggimi:
- the quick identifier was meant for every rule, also the block is the first rule (after the nat rules) so it shouldn't make any difference removing it
- dc0 is the 'outside' network which leads to the router/modem and eventually internet. should i apply any rules? block all applies to this network too, correct? unless stateful connections are opened, as you mentioned.
- about the nat rules: yes, current topology is: pc's - (192.168.2.1/24) - openbsd -(192.168.0.1/24) - router/modem - (isp subnet) - internet
so there's twice a nat, maybe there could be the issue?