Firewall rule

Jrslick22 · August 2, 2006, 11:02am

i have a p2p firewall rule set up like this

add chain=forward p2p=all-p2p time=7h30m-22h00m,sat,fri,thu,wed,tue,mon,sun
action=drop comment=“” disabled=no

it works fine.

I want to make it so that the rule only applys to certin ip ranges, so i added this:

add chain=forward src-address=10.10.54.0/24 p2p=all-p2p
time=7h30m-23h55m,sat,fri,thu,wed,tue,mon,sun action=drop comment=“”
disabled=no

I was hoping this would make it so anyone with a 10.10.54.* address would have limited p2p access between 7:30am and 10pm.

Help please.

janisk · August 2, 2006, 1:43pm

it loogs ok, jsut add another rule to do same for dst-address too so all packets are going to be dropped.

Jrslick22 · August 2, 2006, 7:54pm

ok ive updated the rule but p2p still gets through. With the src and dst addresses removed the rule works fine.

chain=forward src-address=10.10.54.0/24 dst-address=10.10.54.0/24
p2p=all-p2p time=7h30m-22h,sat,fri,thu,wed,tue,mon,sun action=drop

Jrslick22 · September 6, 2006, 1:03am

Anyone? MT please?

fireflash · October 18, 2006, 4:46pm

hi , tried that rule … it works fine…
but if the p2p client is already connected it dosnt drop the connection…

any clues!?

sten · October 18, 2006, 10:53pm

because p2p matching only happens once (somewhere around the beginning of a connection). all-p2p only matches to a single packet in a given connection.

instead mark p2p traffic in mangle forward with a connection mark and then change the filter rule to drop packets belonging to that connection-mark.

Djeeze

Jrslick22 · November 15, 2006, 5:11am

ok ive set up the connection mark:

chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p-conn-drop passthrough=yes

and then the firewall rule:

;;; p-2-p Control
chain=forward src-address=10.10.54.0/24 dst-address=10.10.54.0/24
connection-mark=p2p-conn-drop p2p=all-p2p action=drop

The idea once again was to stop any customer whos address is in the 10.10.54.* pool

what am i missing??

macgaiver · November 15, 2006, 8:37am

It should be like this:

/ ip firewall mangle add action=mark-connection chain=prerouting new-connection-mark=p2p_connection p2p=all-p2p passthrough=yes

/ ip firewall mangle add action=mark-packet chain=prerouting connection-mark=p2p_connection new-packet-mark=p2p_packet passthrough=yes

/ ip firewall filter add action=drop chain=forward packet-mark=p2p_packet

skillful · November 15, 2006, 3:42pm

In addition to what macgaiver said, You need to have two separate rule to drop P2P for this to work. i.e.

/ ip firewall filter add chain=forward src-address=10.10.54.0/24 packet-mark=p2p_packet p2p=all-p2p action=drop

/ ip firewall filter add chain=forward dst-address=10.10.54.0/24 packet-mark=p2p_packet p2p=all-p2p action=drop

Just replace the last rule in Macgaiver’s post with these two rules.

janisk · November 16, 2006, 10:03am

strange it seems p2p programs has been updated

Jrslick22 · November 20, 2006, 10:58am

Thanks for the help guys.

Mac’s part works like a trick, i can see the counters for both packet and connection mark working and counting together. cheers

Skillful, the rule does not seem to stop the 10.10.54.0 subnet? does the rules have to be on the wireless MT? i have one as my gateway, the other as my AP i have put the rules on the gateway not the AP?

Cheers

skillful · November 30, 2006, 5:59pm

Jrslick22, the rules have been modified slightly as follows:

/ ip firewall filter add chain=forward src-address=10.10.54.0/24 packet-mark=p2p_packet action=drop

/ ip firewall filter add chain=forward dst-address=10.10.54.0/24 packet-mark=p2p_packet action=drop

Put these rules on the MT closest to the source IP. It works for me.

jose · December 2, 2006, 4:14pm

What would happen if I just put

/ip firewall filter add chain=forward p2p=all-p2p action=drop ?

Jrslick22 · December 2, 2006, 9:33pm

you would drop all p2p