P2P connections stay established with drop rule.

craigmyster · January 17, 2008, 12:21pm

I use os 2.9.50. I have the following fw rule

1 ;;; Block P2P Traffic
chain=forward p2p=all-p2p action=drop

I see the counter for the rule going up. My question is there are still many established tcp connections that are marked as edonkey/bittorrent. Why is the f/w not dropping these connections?

I have rebooted the router to flush all connections after I made the rule. I have watched it for a few days after that but the connections seem to keep coming in.

alex_rhys-hurn · January 17, 2008, 7:30pm

This topic has been covered many times in the forums.

The firewall rule to drop p2p connections only works to drop NEW connections. Any EXISTING connections will continue to operate.

You could try to set a simple queue to throttle back the p2p sessions and set it to a really slow speed like 8kbps each way.

jordantrx · January 17, 2008, 9:00pm

EVERY time i try to enable all p2p, and rate limit it using simple queue’s, it drops all queue, even the simple queue, it allows the client to have unlimited download/upload access, I have asked around without reply.. How do you enable p2p without loosing your simple queue, and it somehow enabeling unlimited data up/down. anybody else have this problem? I Do… Thanks -Jordan

alex_rhys-hurn · January 18, 2008, 7:45am

Please can you put your configuration here so that we can see what you are trying to achieve.

Rgds

Alex

craigmyster · January 18, 2008, 11:25am

After I created the rule I rebooted to drop all connections. The firewall rule was in place at the time of the router coming back up. Should all subsequent p2p connections be dropped?

alex_rhys-hurn · January 18, 2008, 1:43pm

all subsequent connections should be dropped, yes.

However existing connections in my experience are not always dropped. AS far as I can tell this is due to the connection tracking not expiring sessions for the default time which is quite long.

You may have more luck by switching off conntrack rebooting then putting conntrack back on.

I am confused however, are you saying that the firewall rule is not dropping NEW connections as expected or are you trying to deal with existing connections?

Rgds

Alex

craigmyster · January 19, 2008, 4:14am

Alex;
I am trying to deal with new connections. The drop rule is not dropping new connections. They get established. Maybe something wrong with my router.

Craig

cmon69 · January 30, 2008, 4:53am

Same thing here! New Bittorrent connections not droped.

normis · January 30, 2008, 1:43pm

post your rules please. remember that you need to disconnect the clients for the rule to start taking effect.

erjon · May 15, 2008, 8:40pm

this rule does have to be before Accept forward estabilished connections rule?

jwcn · May 15, 2008, 9:08pm

Here is mine. Works perfectly. It is a simple queue.

6 name=“P2P” dst-address=0.0.0.0/0 interface=all parent=none direction=bot>
priority=8 queue=RED/RED limit-at=64000/64000 max-limit=64000/64000
total-queue=default-small p2p=all-p2p