I am aware that today's p2p is encrypted and cannot be blocked 100% but I need to have a way to mitigate it for users in the network.
I would like to start by blocking Torrent and P2P over the network. I looked for the settings that should work closest on the current version I have but it seems it is not working. It appears that the firewall filter does not pick up on the address list and on the Layer 7 rules.
Here is the setting that I found and entered to the terminal:
Code: Select all
1.
/ip firewall layer7-protocol
add comment="Mikrotik Block Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bitt\
orrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?inf\
o_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[\
RP]"
2.
/ip firewall filter
add action=add-src-to-address-list address-list=Torrent-Conn \
address-list-timeout=2m chain=forward layer7-protocol=\
layer7-bittorrent-exp src-address=192.168.10.0/24 src-address-list=\
!allow-bit
add action=add-src-to-address-list address-list=Torrent-Conn \
address-list-timeout=2m chain=forward p2p=all-p2p src-address=\
192.168.10.0/24 src-address-list=!allow-bit
3.
/ip firewall filter
add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp \
src-address-list=Torrent-Conn
add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp \
src-address-list=Torrent-Conn
And this is the export on my router:
Code: Select all
add name="youtube block all" regexp="^.+(youtube.com|www.youtube.com|m.youtube.com|ytimg.com|s.ytimg.com|yti\
mg.|.google.com|youtube.|i.google.com|googlevideo.com|youtu.be).*\$"
add comment="Block torrent traffic" name=Block-Torrents regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|\
entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|\
fenopy|gpirate|commonbits).*\$"
add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bittorrent protocol|azver\\x01\$|g\
et /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20\
:|\\x08'7P\\)[RP]"
/ip firewall address-list
add address=192.168.10.6 disabled=yes list=PLDT
add address=192.168.10.6 list=allow_youtube
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="PPTP Client" disabled=yes dst-port=1723 protocol=tcp
add action=drop chain=input comment="disable multicast traffic thru router" disabled=yes dst-address-type=\
multicast
add action=accept chain=input comment="Allow limited pings" disabled=yes limit=50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=yes protocol=icmp
add action=drop chain=input disabled=yes dst-port=53 in-interface=LAN protocol=udp
add action=drop chain=input disabled=yes dst-port=53 in-interface=LAN protocol=tcp
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment=\
"PORTSCAN Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment=\
"PORTSCAN NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment=\
"PORTSCAN SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment=\
"PORTSCAN SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment=\
"PORTSCAN FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment=\
"PORTSCAN ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment=\
"PORTSCAN NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="PORTSCAN dropping port scanners" src-address-list=port_scanners
add action=drop chain=forward protocol=udp src-port=6995
add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect \
protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new limit=400,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn
add action=accept chain=forward disabled=yes layer7-protocol="youtube block all" log-prefix="allow youtube" \
src-address-list=allow_youtube
add action=drop chain=forward comment="Youtube blocking for all devices on the local network" disabled=yes \
layer7-protocol="youtube block all" log-prefix="Block youtube" src-address=192.168.10.0/24
add action=reject chain=forward comment=block_WinUp content=update.microsoft.com reject-with=\
icmp-network-unreachable
add action=reject chain=forward comment=block_WinUp content=download.microsoft.com reject-with=\
icmp-network-unreachable
add action=reject chain=forward comment=block_WinUp content=windowsupdate.com reject-with=\
icmp-network-unreachable
add action=jump chain=input comment="Check Brute" dst-port=8291 jump-target=Brute protocol=tcp
add action=accept chain=Brute comment="Allow WinBox safe hosts" connection-state=new dst-port=8291 \
protocol=tcp src-address-list=safe
add action=add-src-to-address-list address-list=wb_blacklist address-list-timeout=1w3d chain=Brute comment=\
"WinBox brute forcers blacklisting" connection-state=new dst-port=8291 protocol=tcp src-address-list=\
wb_stage3
add action=add-src-to-address-list address-list=wb_stage3 address-list-timeout=1m chain=Brute comment=\
"WinBox brute forcers the third stage" connection-state=new dst-port=8291 protocol=tcp \
src-address-list=wb_stage2
add action=add-src-to-address-list address-list=wb_stage2 address-list-timeout=1m chain=Brute comment=\
"WinBox brute forcers the second stage" connection-state=new dst-port=8291 protocol=tcp \
src-address-list=wb_stage1
add action=add-src-to-address-list address-list=wb_stage1 address-list-timeout=1m chain=Brute comment=\
"WinBox brute forcers the first stage" connection-state=new dst-port=8291 protocol=tcp
add action=drop chain=Brute comment="Drop WinBox brute forcers" dst-port=8291 protocol=tcp \
src-address-list=wb_blacklist
add action=drop chain=forward comment="conficker virus block" dst-port=135 protocol=tcp
add action=drop chain=forward comment="conficker virus block" dst-port=139 protocol=tcp
add action=drop chain=forward comment="conficker virus block" dst-port=5933 protocol=tcp
add action=drop chain=forward comment="conficker virus block" dst-port=138 protocol=udp
add action=drop chain=forward comment="conficker virus block" dst-port=5933 protocol=tcp
add action=drop chain=forward comment="conficker virus block" dst-port=137 protocol=udp
add action=drop chain=forward comment="conficker virus block" dst-port=135 protocol=udp
add action=drop chain=forward comment="ubnt exploit" dst-port=10001 protocol=tcp
add action=drop chain=forward comment="ubnt exploit" dst-port=10001 protocol=udp
add action=drop chain=forward comment="Drop Blaster Worm" dst-port=135-139 protocol=tcp
add action=drop chain=forward comment="Drop Messenger Worm" dst-port=135-139 protocol=udp
add action=drop chain=forward comment="Drop Blaster Worm" dst-port=445 protocol=tcp
add action=drop chain=forward comment="Drop Blaster Worm" dst-port=445 protocol=udp
add action=drop chain=forward comment=________ dst-port=593 protocol=tcp
add action=drop chain=forward comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=forward comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=forward comment=________ dst-port=1214 protocol=tcp
add action=drop chain=forward comment="ndm requester" dst-port=1363 protocol=tcp
add action=drop chain=forward comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=forward comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=forward comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=forward comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=forward comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=forward comment="Bagle forward" dst-port=2745 protocol=tcp
add action=drop chain=forward comment="Drop Dumaru.Y" dst-port=2283 protocol=tcp
add action=drop chain=forward comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=forward comment="Drop Beagle.C-K" dst-port=2745 protocol=tcp
add action=drop chain=forward comment="Drop MyDoom" dst-port=3127-3128 protocol=tcp
add action=drop chain=forward comment="Drop Backdoor OptixPro" dst-port=3410 protocol=tcp
add action=drop chain=forward comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=forward comment=Worm dst-port=4444 protocol=udp
add action=drop chain=forward comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=forward comment="Drop Beagle.B" dst-port=8866 protocol=tcp
add action=drop chain=forward comment="Drop Dabber.A-B" dst-port=9898 protocol=tcp
add action=drop chain=forward comment="Drop Dumaru.Y" dst-port=10000 protocol=tcp
add action=drop chain=forward comment="Drop MyDoom.B" dst-port=10080 protocol=tcp
add action=drop chain=forward comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=forward comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=forward comment="Drop SubSeven" dst-port=27374 protocol=tcp
add action=drop chain=forward comment="Drop PhatBot, Agobot, Gaobot" dst-port=65506 protocol=tcp
add action=accept chain=forward comment="Accept Established" connection-state=established
add action=accept chain=forward comment="Accept Related" layer7-protocol="youtube block all" \
src-address-list=allow_youtube
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=accept chain=output connection-state=established
add action=accept chain=output connection-state=related
add action=drop chain=output connection-state=invalid
add action=add-src-to-address-list address-list=Bittorrent_users address-list-timeout=5m chain=forward \
comment=Bittorrent_users disabled=yes layer7-protocol=*2
add action=drop chain=forward comment="Block torrent filter" disabled=yes layer7-protocol=Block-Torrents \
log=yes out-interface=LAN
add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=2m chain=forward \
disabled=yes layer7-protocol=*4 src-address=192.168.10.0/24 src-address-list=!allow-bit
add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=2m chain=forward \
disabled=yes p2p=all-p2p src-address=192.168.10.0/24 src-address-list=allow-bit
add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp \
src-address-list=Torrent-Conn
add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp \
src-address-list=Torrent-Conn
add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=2m chain=forward \
layer7-protocol=layer7-bittorrent-exp src-address=192.168.10.0/24 src-address-list=!allow-bit
add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=2m chain=forward \
disabled=yes layer7-protocol=layer7-bittorrent-exp src-address=192.168.10.0/24 src-address-list=\
!allow-bit
add action=drop chain=forward disabled=yes dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=\
tcp src-address-list=Torrent-Conn
add action=drop chain=forward disabled=yes dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=\
udp src-address-list=Torrent-Conn
/ip firewall mangle
add action=accept chain=prerouting disabled=yes dst-address=192.168.0.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.1.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface="Sky ether1" \
new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface=\
"PLDT at ether2" new-connection-mark=ISP2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-type=!local \
new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=both-addresses:2/0 src-address=\
192.168.10.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-type=!local \
new-connection-mark=ISP2_conn passthrough=yes per-connection-classifier=both-addresses:2/1 src-address=\
192.168.10.0/24
add action=mark-routing chain=prerouting connection-mark=ISP1_conn disabled=yes new-routing-mark=to_SKY \
passthrough=yes src-address=192.168.10.0/24
add action=mark-routing chain=prerouting connection-mark=ISP2_conn disabled=yes new-routing-mark=to_GLOBE \
passthrough=yes src-address=192.168.10.0/24
add action=mark-routing chain=output connection-mark=ISP1_conn disabled=yes new-routing-mark=to_SKY \
passthrough=no
add action=mark-routing chain=output connection-mark=ISP2_conn disabled=yes new-routing-mark=to_PLDT \
passthrough=no
add action=mark-routing chain=prerouting comment="to PLDT" new-routing-mark=to_PLDT passthrough=no \
src-address-list=PLDT
add action=accept chain=prerouting comment=">>>>> SEPARATOR (DO NOT ENABLE)" disabled=yes
add action=jump chain=prerouting comment="NEW CONNECTIONS" connection-state=new in-interface=all-ethernet \
jump-target=crit-dnld-pr1
add action=jump chain=postrouting connection-state=new jump-target=crit-upld-pr1 out-interface=all-ethernet
add action=jump chain=prerouting jump-target=crit-dnld-pr1 port=53 protocol=udp
add action=jump chain=prerouting connection-bytes=2500000-0 connection-rate=2500-1G in-interface=\
"Sky ether1" jump-target=beff-bulk-download protocol=tcp
add action=jump chain=prerouting connection-bytes=2500000-0 connection-rate=2500-1G in-interface=\
"PLDT at ether2" jump-target=beff-bulk-download protocol=tcp
add action=mark-packet chain=beff-bulk-download new-packet-mark=dnld_pr8_beff passthrough=no
add action=return chain=beff-bulk-download
add action=jump chain=postrouting comment="BIG BYTES (OUT)" connection-bytes=2500000-0 connection-rate=\
2500-1G jump-target=beff-bulk-upload out-interface="Sky ether1" protocol=tcp
add action=jump chain=postrouting connection-bytes=2500000-0 connection-rate=2500-1G jump-target=\
beff-bulk-upload out-interface="PLDT at ether2" protocol=tcp
add action=mark-packet chain=beff-bulk-upload new-packet-mark=upld_pr8_beff passthrough=no
add action=return chain=beff-bulk-upload
add action=jump chain=prerouting in-interface="Sky ether1" jump-target=beff-http-down port=80,443 protocol=\
tcp
add action=jump chain=prerouting in-interface="PLDT at ether2" jump-target=beff-http-down port=80,443 \
protocol=tcp
add action=jump chain=prerouting in-interface="Sky ether1" jump-target=beff-http-down port=80,443 protocol=\
udp
add action=jump chain=prerouting in-interface="PLDT at ether2" jump-target=beff-http-down port=80,443 \
protocol=udp
add action=jump chain=beff-http-down connection-bytes=2500000-0 jump-target=beff-bulk-download protocol=tcp
add action=mark-packet chain=beff-http-down new-packet-mark=dnld_pr6_beff passthrough=no
add action=return chain=beff-http-down
add action=jump chain=prerouting in-interface="Sky ether1" jump-target=crit-dnld-pr2 protocol=tcp \
tcp-flags=syn
add action=jump chain=prerouting in-interface="PLDT at ether2" jump-target=crit-dnld-pr2 protocol=tcp \
tcp-flags=syn
add action=jump chain=postrouting jump-target=crit-upld-pr2 out-interface="Sky ether1" protocol=tcp \
tcp-flags=syn
add action=jump chain=postrouting jump-target=crit-upld-pr2 out-interface="PLDT at ether2" protocol=tcp \
tcp-flags=syn
add action=jump chain=forward comment="PR1 - RTP conn/packet" jump-target=crit-dnld-pr1 port=10000-20000 \
protocol=udp
add action=jump chain=forward comment="PR1 -- FACETIME" jump-target=crit-dnld-pr2 port=5223,4080,3478 \
protocol=tcp
add action=mark-connection chain=forward comment="DSCP 46 (VoIP)" connection-mark=no-mark dscp=46 \
new-connection-mark=VoIP-conn passthrough=yes
add action=jump chain=prerouting comment="PR2 -- SIP (VoIP)" jump-target=crit-dnld-pr1 port=5060-5061 \
protocol=tcp
add action=jump chain=prerouting jump-target=crit-dnld-pr1 port=5060-5061 protocol=udp
add action=mark-packet chain=beff-p2p new-packet-mark=dnld_pr8_lmtd passthrough=no
add action=return chain=beff-p2p
add action=accept chain=prerouting comment=">>>>> SEPARATOR (DO NOT ENABLE)" disabled=yes
add action=mark-packet chain=crit-dnld-pr1 new-packet-mark=dnld_pr1_crit passthrough=no
add action=return chain=crit-dnld-pr1
add action=mark-packet chain=crit-dnld-pr2 new-packet-mark=dnld_pr2_crit passthrough=no
add action=return chain=crit-dnld-pr2
add action=mark-packet chain=crit-upld-pr1 new-packet-mark=upld_pr1_crit passthrough=no
add action=return chain=crit-upld-pr1
add action=mark-packet chain=crit-upld-pr2 new-packet-mark=upld_pr2_crit passthrough=no
add action=return chain=crit-upld-pr2
add action=mark-connection chain=prerouting new-connection-mark=FACEBOOK-CONN passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting new-connection-mark=YOUTUBE-CONN passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting new-connection-mark=YOUTUBE-CONN passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment=other-connection new-connection-mark=other-con \
passthrough=yes
Screenshots