hi all
i have created a simple firewall to block p2p for an internet cafe. is this practical? wondering what other services are used mostly for me to add to the accept range.
[admin@MikroTik] > ip
[admin@MikroTik] /ip> firewall
[admin@MikroTik] /ip firewall> filter
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp
1 ;;; default configuration
chain=input action=accept connection-state=established
in-interface=ether1-gateway
2 ;;; default configuration
chain=input action=accept connection-state=related
in-interface=ether1-gateway
3 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway
4 chain=forward action=accept connection-mark=http
5 chain=forward action=accept connection-mark=DHCP
6 chain=forward action=accept connection-mark=DNS
7 chain=forward action=accept connection-mark=FTP
8 chain=forward action=accept connection-mark=bgp
9 chain=forward action=accept connection-mark=http
10 chain=forward action=accept connection-mark=imap
11 chain=forward action=accept connection-mark=msn
12 chain=forward action=accept connection-mark=pop3
13 chain=forward action=accept connection-mark=smtp
14 chain=forward action=accept connection-mark=ssh
15 chain=forward action=accept connection-mark=ssl
16 chain=forward action=accept connection-mark=yahoo
17 chain=forward action=accept connection-mark=https
18 chain=forward action=drop
regards
-
-
jandafields
Forum Guru
- Posts: 1515
- Joined:
Re: Firewall Against P2P
Are all of those connection marks actually setup in the router? As for p2p, a lot of p2p travels over ssl and http, so you can't really block it.
Re: Firewall Against P2P
this will block p2p
just change src-address & time if needed
/ip firewall layer7-protocol
add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.
add comment="" name=BITTORENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|\
get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/\
|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\\r\\n"
/ip firewall filter
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
1h30m chain=forward comment=" ______Bittorent_____" disabled=no \
layer7-protocol=BITTORENT src-address=192.168.0.10-192.168.0.254 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no layer7-protocol=\
BITTORENT reject-with=icmp-network-unreachable time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=yes layer7-protocol=\
BITTORENT reject-with=icmp-network-unreachable time=\
0s-1h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent Announce" \
address-list-timeout=1h30m chain=forward comment=______Announce____ \
disabled=no layer7-protocol=BITTORRENT_ANNOUNCE src-address=\
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no layer7-protocol=\
BITTORRENT_ANNOUNCE reject-with=icmp-network-unreachable time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=yes layer7-protocol=\
BITTORRENT_ANNOUNCE reject-with=icmp-network-unreachable time=\
0s-1h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent udp" \
address-list-timeout=1h30m chain=forward comment="____6881-6999 udp___" \
disabled=no dst-port=6881-6968,6970-6999 protocol=udp src-address=\
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=\
6881-6968,6970-6999 protocol=udp reject-with=icmp-network-unreachable \
time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent tcp" \
address-list-timeout=1h30m chain=forward comment="____6881-6999 tcp___" \
disabled=no dst-port=6881-6968,6970-6999 protocol=tcp src-address=\
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=\
6881-6968,6970-6999 protocol=tcp reject-with=icmp-network-unreachable \
time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent all-p2p" \
address-list-timeout=1h30m chain=forward comment=\
__________All-p2p__________ disabled=no p2p=all-p2p src-address=\
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no p2p=all-p2p \
reject-with=icmp-network-unreachable time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="Torrent cleaning" disabled=no \
dst-port=10000-65500 protocol=tcp reject-with=icmp-network-unreachable \
src-address-list=Torrent src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=udp reject-with=icmp-network-unreachable src-address-list=\
Torrent src-port=10000-65500 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent Announce" src-port=10000-65500 time=\
9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=udp reject-with=icmp-network-unreachable src-address-list=\
"Torrent Announce" src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent udp" src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=udp reject-with=icmp-network-unreachable src-address-list=\
"Torrent udp" src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent tcp" src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=udp reject-with=icmp-network-unreachable src-address-list=\
"Torrent tcp" src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
Torrent src-port=1000-5000 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent Announce" src-port=1000-5000 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent udp" src-port=1000-5000 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent tcp" src-port=1000-5000 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent all-p2p" src-port=1000-5000 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
just change src-address & time if needed
/ip firewall layer7-protocol
add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.
add comment="" name=BITTORENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|\
get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/\
|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\\r\\n"
/ip firewall filter
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
1h30m chain=forward comment=" ______Bittorent_____" disabled=no \
layer7-protocol=BITTORENT src-address=192.168.0.10-192.168.0.254 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no layer7-protocol=\
BITTORENT reject-with=icmp-network-unreachable time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=yes layer7-protocol=\
BITTORENT reject-with=icmp-network-unreachable time=\
0s-1h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent Announce" \
address-list-timeout=1h30m chain=forward comment=______Announce____ \
disabled=no layer7-protocol=BITTORRENT_ANNOUNCE src-address=\
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no layer7-protocol=\
BITTORRENT_ANNOUNCE reject-with=icmp-network-unreachable time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=yes layer7-protocol=\
BITTORRENT_ANNOUNCE reject-with=icmp-network-unreachable time=\
0s-1h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent udp" \
address-list-timeout=1h30m chain=forward comment="____6881-6999 udp___" \
disabled=no dst-port=6881-6968,6970-6999 protocol=udp src-address=\
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=\
6881-6968,6970-6999 protocol=udp reject-with=icmp-network-unreachable \
time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent tcp" \
address-list-timeout=1h30m chain=forward comment="____6881-6999 tcp___" \
disabled=no dst-port=6881-6968,6970-6999 protocol=tcp src-address=\
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=\
6881-6968,6970-6999 protocol=tcp reject-with=icmp-network-unreachable \
time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent all-p2p" \
address-list-timeout=1h30m chain=forward comment=\
__________All-p2p__________ disabled=no p2p=all-p2p src-address=\
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no p2p=all-p2p \
reject-with=icmp-network-unreachable time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="Torrent cleaning" disabled=no \
dst-port=10000-65500 protocol=tcp reject-with=icmp-network-unreachable \
src-address-list=Torrent src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=udp reject-with=icmp-network-unreachable src-address-list=\
Torrent src-port=10000-65500 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent Announce" src-port=10000-65500 time=\
9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=udp reject-with=icmp-network-unreachable src-address-list=\
"Torrent Announce" src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent udp" src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=udp reject-with=icmp-network-unreachable src-address-list=\
"Torrent udp" src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent tcp" src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=udp reject-with=icmp-network-unreachable src-address-list=\
"Torrent tcp" src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
Torrent src-port=1000-5000 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent Announce" src-port=1000-5000 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent udp" src-port=1000-5000 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent tcp" src-port=1000-5000 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent all-p2p" src-port=1000-5000 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
Re: Firewall Against P2P
That regex filter is broken and won't catch most torrent seeding. it should be:add comment="" name=BITTORENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|\
get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/\
|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\\r\\n"
Code: Select all
add comment="" name=BITTORENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|\
get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/\
|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\\r\\n"Re: Firewall Against P2P
Thanks for the posts guys. 
There does seem to be a hitch though. All works fine but then mails stop sending the device needs to be rebooted and everything then comes right. The link is on a VSAT connection with just less that 550kbps and i was wondering if it had more to do with that and the load the LAN is giving. There are about 20 pcs. Im not asking for troubleshooting on the LAN, just if my config could cause this problem.
Regards
There does seem to be a hitch though. All works fine but then mails stop sending the device needs to be rebooted and everything then comes right. The link is on a VSAT connection with just less that 550kbps and i was wondering if it had more to do with that and the load the LAN is giving. There are about 20 pcs. Im not asking for troubleshooting on the LAN, just if my config could cause this problem.
Regards
-
-
jandafields
Forum Guru
- Posts: 1515
- Joined:
Re: Firewall Against P2P
Check the cpu usage and see if it is high on the mikrotik.Thanks for the posts guys.
There does seem to be a hitch though. All works fine but then mails stop sending the device needs to be rebooted and everything then comes right. The link is on a VSAT connection with just less that 550kbps and i was wondering if it had more to do with that and the load the LAN is giving. There are about 20 pcs. Im not asking for troubleshooting on the LAN, just if my config could cause this problem.
Regards
Who is online
Users browsing this forum: No registered users and 9 guests