Firewall Against P2P

zimbofury · September 23, 2011, 9:04am

hi all

i have created a simple firewall to block p2p for an internet cafe. is this practical? wondering what other services are used mostly for me to add to the accept range.

[admin@MikroTik] > ip
[admin@MikroTik] /ip> firewall
[admin@MikroTik] /ip firewall> filter
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp

1 ;;; default configuration
chain=input action=accept connection-state=established
in-interface=ether1-gateway

2 ;;; default configuration
chain=input action=accept connection-state=related
in-interface=ether1-gateway

3 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

4 chain=forward action=accept connection-mark=http

5 chain=forward action=accept connection-mark=DHCP

6 chain=forward action=accept connection-mark=DNS

7 chain=forward action=accept connection-mark=FTP

8 chain=forward action=accept connection-mark=bgp

9 chain=forward action=accept connection-mark=http

10 chain=forward action=accept connection-mark=imap

11 chain=forward action=accept connection-mark=msn

12 chain=forward action=accept connection-mark=pop3

13 chain=forward action=accept connection-mark=smtp

14 chain=forward action=accept connection-mark=ssh

15 chain=forward action=accept connection-mark=ssl

16 chain=forward action=accept connection-mark=yahoo

17 chain=forward action=accept connection-mark=https

18 chain=forward action=drop

regards

jandafields · September 23, 2011, 8:31pm

Are all of those connection marks actually setup in the router? As for p2p, a lot of p2p travels over ssl and http, so you can’t really block it.

jahidhk · September 25, 2011, 6:58pm

this will block p2p
just change src-address & time if needed

/ip firewall layer7-protocol
add comment=“” name=BITTORRENT_ANNOUNCE regexp=^get.+announce.
add comment=“” name=BITTORENT regexp=“^(\x13bittorrent protocol|azver\x01$|
get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/
|GET /data\?fid=)|d1:ad2:id20:|\x08’7P\)[RP]\r\n”
/ip firewall filter
add action=add-src-to-address-list address-list=Torrent address-list-timeout=
1h30m chain=forward comment=" _Bittorent" disabled=no
layer7-protocol=BITTORENT src-address=192.168.0.10-192.168.0.254 time=
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no layer7-protocol=
BITTORENT reject-with=icmp-network-unreachable time=
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=yes layer7-protocol=
BITTORENT reject-with=icmp-network-unreachable time=
0s-1h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list=“Torrent Announce”
address-list-timeout=1h30m chain=forward comment=__Announce
disabled=no layer7-protocol=BITTORRENT_ANNOUNCE src-address=
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no layer7-protocol=
BITTORRENT_ANNOUNCE reject-with=icmp-network-unreachable time=
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=yes layer7-protocol=
BITTORRENT_ANNOUNCE reject-with=icmp-network-unreachable time=
0s-1h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list=“Torrent udp”
address-list-timeout=1h30m chain=forward comment=“_6881-6999 udp”
disabled=no dst-port=6881-6968,6970-6999 protocol=udp src-address=
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no dst-port=
6881-6968,6970-6999 protocol=udp reject-with=icmp-network-unreachable
time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list=“Torrent tcp”
address-list-timeout=1h30m chain=forward comment=“_6881-6999 tcp”
disabled=no dst-port=6881-6968,6970-6999 protocol=tcp src-address=
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no dst-port=
6881-6968,6970-6999 protocol=tcp reject-with=icmp-network-unreachable
time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list=“Torrent all-p2p”
address-list-timeout=1h30m chain=forward comment=
All-p2p disabled=no p2p=all-p2p src-address=
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no p2p=all-p2p
reject-with=icmp-network-unreachable time=
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“Torrent cleaning” disabled=no
dst-port=10000-65500 protocol=tcp reject-with=icmp-network-unreachable
src-address-list=Torrent src-port=10000-65500 time=
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no dst-port=10000-65500
protocol=udp reject-with=icmp-network-unreachable src-address-list=
Torrent src-port=10000-65500 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no dst-port=10000-65500
protocol=tcp reject-with=icmp-network-unreachable src-address-list=
“Torrent Announce” src-port=10000-65500 time=
9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no dst-port=10000-65500
protocol=udp reject-with=icmp-network-unreachable src-address-list=
“Torrent Announce” src-port=10000-65500 time=
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no dst-port=10000-65500
protocol=tcp reject-with=icmp-network-unreachable src-address-list=
“Torrent udp” src-port=10000-65500 time=
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no dst-port=10000-65500
protocol=udp reject-with=icmp-network-unreachable src-address-list=
“Torrent udp” src-port=10000-65500 time=
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no dst-port=10000-65500
protocol=tcp reject-with=icmp-network-unreachable src-address-list=
“Torrent tcp” src-port=10000-65500 time=
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no dst-port=10000-65500
protocol=udp reject-with=icmp-network-unreachable src-address-list=
“Torrent tcp” src-port=10000-65500 time=
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no dst-port=10000-65500
protocol=tcp reject-with=icmp-network-unreachable src-address-list=
Torrent src-port=1000-5000 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no dst-port=10000-65500
protocol=tcp reject-with=icmp-network-unreachable src-address-list=
“Torrent Announce” src-port=1000-5000 time=
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no dst-port=10000-65500
protocol=tcp reject-with=icmp-network-unreachable src-address-list=
“Torrent udp” src-port=1000-5000 time=
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no dst-port=10000-65500
protocol=tcp reject-with=icmp-network-unreachable src-address-list=
“Torrent tcp” src-port=1000-5000 time=
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=“” disabled=no dst-port=10000-65500
protocol=tcp reject-with=icmp-network-unreachable src-address-list=
“Torrent all-p2p” src-port=1000-5000 time=
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat

CCDKP · September 28, 2011, 2:24pm

That regex filter is broken and won’t catch most torrent seeding. it should be:

add comment="" name=BITTORENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|\
    get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/\
    |GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\\r\\n"

It’s a bit of a long post, but there is a LOT of good information for solving this here: http://forum.mikrotik.com/t/how-block-connection-of-p2p/18495/1

zimbofury · November 17, 2011, 2:02pm

Thanks for the posts guys.

There does seem to be a hitch though. All works fine but then mails stop sending the device needs to be rebooted and everything then comes right. The link is on a VSAT connection with just less that 550kbps and i was wondering if it had more to do with that and the load the LAN is giving. There are about 20 pcs. Im not asking for troubleshooting on the LAN, just if my config could cause this problem.

Regards

jandafields · November 17, 2011, 4:44pm

Check the cpu usage and see if it is high on the mikrotik.