block p2p using Layer7-Protocols

kolorasta · October 28, 2007, 5:37pm

is this config ok to mark packets in mangle, for being dropped in firewall?

/ip firewall mangle 
add action=mark-connection chain=forward comment="Block ARES" disabled=no \
    layer7-protocol=ares new-connection-mark=blocked_conn passthrough=yes \
    src-address-list=BlockedContent 
add action=mark-connection chain=forward comment="Block eDonkey" disabled=no \
    layer7-protocol=edonkey new-connection-mark=blocked_conn passthrough=yes \
    src-address-list=BlockedContent 
add action=mark-connection chain=forward comment="Block gnutella" disabled=no \
    layer7-protocol=gnutella new-connection-mark=blocked_conn passthrough=yes \
    src-address-list=BlockedContent 
add action=mark-connection chain=forward comment="Block imesh" disabled=no \
    layer7-protocol=imesh new-connection-mark=blocked_conn passthrough=yes \
    src-address-list=BlockedContent 
add action=mark-packet chain=forward comment="[][][][][][][][][][][][] Content \
    Blocked" connection-mark=blocked_conn disabled=no \
    new-packet-mark=Blocked_packets passthrough=no

Chupaka · October 28, 2007, 10:14pm

it seems working, if you have people, which should be blocked, in “BlockedContent” address list. otherwise remove “src-address-list=BlockedContent” from your rules

kolorasta · October 29, 2007, 12:36pm

yes… i have some clients in that address-list…

i read that you should use layer-7 protocols in conjunction with source/destination addresses or ports, or something like that… in order to reduce the false positives in detection of packets.

mrz · October 29, 2007, 12:45pm

You are correct. You must use layer7 matching wisely, as it allocates memory until protocol is matched for current traffic. Good setup will use less RAM and also you get less false matches.