I’ve been trying to use some of the L7 rules to catch torrent downloading on our network, however had to stop as some of the games use P2P to update. I am trying an alternative which is to add common torrent website to an address list and then catch traffic going to thoese address in Mangle
add action=add-src-to-address-list address-list=Torrent_user_Stage4 address-list-timeout=1w chain=prerouting \
comment="Add torrent user by Torrent Address List \"TorrentSite\"" connection-state=new \
dst-address-list=TorrentSite log=yes log-prefix="/////Site==="
my quesstion is. I’ve been watching log, the destination IP address does not match any IP in my Address List. They are mostly belong to Cloudfront. Is this becaue the torrent sites are all hiding behind CloudFront? if that’s the case why they can trigger this mangle rule?
Hi
try this and tel us if ok
/ip firewall layer7-protocol
add name=L7-All-Torrent regexp=“^.(get|GET).+(torrent|thepiratebay|isohunt|en
tertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|b
itunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|megano
va|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits|\x13bittorre
nt protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_ha
sh=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x04\x17\x27
\x10\x19\x80’7P\).$”