Community discussions

 
trottolino1970
Member Candidate
Member Candidate
Topic Author
Posts: 192
Joined: Thu May 17, 2007 4:25 pm
Contact:

how block connection of p2p?

Fri Jan 18, 2008 5:17 pm

how block connection of p2p?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8290
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: how block connection of p2p?

Fri Jan 18, 2008 5:45 pm

ip firewall filter add chain=forward p2p=all-p2p action=drop
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
rxrxrx
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Fri Mar 13, 2009 4:45 pm

Re: how block connection of p2p?

Mon Oct 19, 2009 12:02 am

that is amazing!
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1369
Joined: Mon Jan 05, 2009 6:23 pm
Location: Worldwide
Contact:

Re: how block connection of p2p?

Mon Oct 19, 2009 9:14 am

For some years now good p2p soft can obfuscate, encrypt its connections so routers dont know its a p2p connection.


Instead of dropping p2p like that I suggest you implement traffic prioritization per traffic type or at least the new http://wiki.mikrotik.com/wiki/Connection_Rate easy QoS. You may still need it even if you drop unencrypted p2p connections because the encrypted ones may still take bandwidth and transmission time on ur network.

And keep in mind that the easiest way to achieve QoS is to overprovision the bandwidth :) And even with QoS working pretty well - more bandwidth makes it at least double the good feeling of the users and in cases with connections under 2 Mbit/s - more BW is a must.
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Mon Oct 19, 2009 11:21 am

Hi,

I did need to block all P2P and did sort of like Chupaka said. My basic setup i based on http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling But I have made some modifications. My setup tagges also encrypted packages (SSL) on non SSL ports.
This will however not block P2P that uses 443. But there are not many at the moment.

I have done some tests and i have not yet been able to make Bittorrent work. I use a RB1000 to back up my rule set. :)

Mangel
2 chain=prerouting action=jump jump-target=p2p-service layer7-protocol=DIRECTCONNECT
3 chain=prerouting action=jump jump-target=p2p-service p2p=all-p2p
4 chain=prerouting action=jump jump-target=p2p-service layer7-protocol=BITTORRENT2
5 chain=prerouting action=jump jump-target=tcp-services connection-state=new protocol=tcp dst-port=443
6 chain=prerouting action=jump jump-target=p2p-service connection-state=new protocol=tcp layer7-protocol=HTTPS dst-port=!443
7 chain=prerouting action=jump jump-target=tcp-services tcp-flags=syn connection-state=new protocol=tcp
8 chain=prerouting action=jump jump-target=udp-services connection-state=new protocol=udp
9 chain=prerouting action=jump jump-target=other-services connection-state=new
10 chain=p2p-service action=mark-connection new-connection-mark=p2p passthrough=no
26 chain=tcp-services action=mark-connection new-connection-mark=https passthrough=no protocol=tcp src-port=1024-65535 dst-port=443

Filter
5 ;;; Drop and log all P2P
chain=forward action=add-src-to-address-list src-address-list=local-addr address-list=p2p-users address-list-timeout=4w3d connection-mark=p2p
6 chain=forward action=log connection-mark=p2p log-prefix="P2P"
7 chain=forward action=jump jump-target=drop connection-mark=p2p

L7
HTTPS: Regexp
^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)
BITTORRENT2: Regexp
^(\x13bittorrent protocol)
DIRECTCONNECT: Regexp
^(\$mynick |\$lock |\$key )
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1369
Joined: Mon Jan 05, 2009 6:23 pm
Location: Worldwide
Contact:

Re: how block connection of p2p?

Mon Oct 19, 2009 11:59 am

Oh cool. Try uTorrent with Encryption turned on (Enabled) and try to download a torrent file that has many seeders for example a Lniux distro, for example SuSe distrib via BT. Test your setup against that :)
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: how block connection of p2p?

Mon Oct 19, 2009 12:03 pm

Oh cool. Try uTorrent with Encryption turned on (Enabled) and try to download a torrent file that has many seeders for example a Lniux distro, for example SuSe distrib via BT. Test your setup against that :)
against that you can try to use a transpartent proxy for port 80 TCP and block everything else :)
No answer to your question? How to write posts
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Mon Oct 19, 2009 12:17 pm

Tried uTorrent (Encrypted and non encrypted) and the PriateBay, Also tired to download RouterOS from mikrotik torrent. No luck :)
Did a test in June this year. I have not tested if the new client drops as well. But i drop a load of packages so i guess it is still working. :)

I want to use the Web-Proxy but my setup protects a shitload of students. At the moment they can not fingerprint my setup. But the regulary check agains if we use a proxy and there they can see what type of system i am using :(
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: how block connection of p2p?

Mon Oct 19, 2009 12:18 pm

That's good, but if you will force encryption, these patterns will not work so nice.
No answer to your question? How to write posts
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Mon Oct 19, 2009 12:23 pm

If I am not mistaken I did just that. Can you have encrypted otherwise? :S
I will try it in an hour or two to confirm this.
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1369
Joined: Mon Jan 05, 2009 6:23 pm
Location: Worldwide
Contact:

Re: how block connection of p2p?

Mon Oct 19, 2009 12:34 pm

When testing, wait longer for example 5 or even 10 mins after starting the torrent, to be sure. Finding a seeder that has encryption could take time, depending on settings, number of new connections per second etc...

And those students will just use VPN and still get what they need from p2p :)
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Mon Oct 19, 2009 12:38 pm

Nope no joy, I am currently downloading the complete RouterOS torrent but it is all red... And I have encryption to Forced.
I have waited 7,30min at the moment.

Any ideas how to bypass?
Or a link to a torrent that will work perhaps?

Most VPN will not work with my current setup. SSL-VPN will work however...
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
xezen
Long time Member
Long time Member
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

Re: how block connection of p2p?

Mon Oct 19, 2009 1:29 pm

i dont get this are you asking for ways to test to bypass firewall or testing how good your firewall rules are?


as there are many ways to bypass firewall with p2p?


are you using utorrent to download?


as i have some tricks you can try out
If i dont No Ask someone That Does!
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1369
Joined: Mon Jan 05, 2009 6:23 pm
Location: Worldwide
Contact:

Re: how block connection of p2p?

Mon Oct 19, 2009 1:43 pm

Well let it get a list of seeders! Can it reach the announcer?
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Mon Oct 19, 2009 2:28 pm

It can list how many seeders there is. But non get connected.
I can't open it to try to get some connections becourse it's in production environment.

So I think it still works. :)
Feel free to test the rules if it works for you.
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1369
Joined: Mon Jan 05, 2009 6:23 pm
Location: Worldwide
Contact:

Re: how block connection of p2p?

Mon Oct 19, 2009 3:25 pm

Try to Uninstall and ReInstall (clean) uTorrent with the latest version, also try from another host. Sometimes uTorrent messes its configs. Thanks.
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Mon Oct 19, 2009 3:35 pm

I just did on the test machine (Netbook) It was a clean install from the factory and a new install of uTorrent.
My previous setup was an old test laptop but the results seem to be the same :)
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1369
Joined: Mon Jan 05, 2009 6:23 pm
Location: Worldwide
Contact:

Re: how block connection of p2p?

Mon Oct 19, 2009 3:53 pm

Your customers can still use websites and Skype etc etc right? Even after they try and download torrents ?
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service
 
xezen
Long time Member
Long time Member
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

Re: how block connection of p2p?

Mon Oct 19, 2009 3:54 pm

and what if you set utorrents port to port 80?

and not randoum on startup?
If i dont No Ask someone That Does!
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Mon Oct 19, 2009 4:56 pm

Yes they can still use "Internet" my "address-list" is for my monitoring only.
Is that port not only for incoming connections?
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1369
Joined: Mon Jan 05, 2009 6:23 pm
Location: Worldwide
Contact:

Re: how block connection of p2p?

Tue Apr 20, 2010 2:57 am

Hey why the p2p filter of MT does not catch uTP ?


Someone pleazzzzze share the uTP Layer 7 matcher. Thanks.
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Tue Apr 20, 2010 1:00 pm

Hi,

I found out the other day that the new utorrent can bypass my rules. My new approach is to block the "announce" and normal Bittorrent traffic by L7 and disable DHT/peer sharing via DNS and filter rules. This results in the impossibility to connect and by that matter removes the ability to initialize the encrypted traffic.

I can say that it works like a charm.
The same goes for magnetic links.

I have tried to download under 48hours 3different torrents with no success with 4 different torrent clients.
uTorrent, Azures(vuze), bitlord, and Bitcomet.

This is an ongoing war but for now it works.
It's probably not 100% but I have not yet found out how to bypass my protection.

I can post config later this day or tomorrow.
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
timreichhart
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Sun Feb 07, 2010 9:11 pm

Re: how block connection of p2p?

Tue Apr 20, 2010 7:42 pm

is there away to filter or block p2p on internal IP address? lets say customer is natted from public real word ip to internal IP is there anyway to filter/block the internal IP for the p2p.
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Wed Apr 21, 2010 7:57 am

Here is the config
DNS
/ip dns static
add address=127.0.0.1 disabled=no name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=inside.bitcomet.com ttl=1d
add address=127.0.0.2 disabled=no name=router.bitcomet.net ttl=1d

L7 filter
/ip firewall layer7-protocol
add comment="" name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

I use the L7 in the mangel rules combined with the normal Mikrotik p2p detection and add mark them as p2p and then I have a filter that blocks it.

This disables the normal tracker and the DHT and peer exchange.

Please try it and if you can find any way to get around it please let me know :)

p.s
You will have to disable DNS query's outbound and only allow the DNS server in the Mikrotik.
d.s
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
timreichhart
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Sun Feb 07, 2010 9:11 pm

Re: how block connection of p2p?

Mon Apr 26, 2010 9:58 pm

is there anyway that you can block a internal IP from p2p protocols?
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Tue Apr 27, 2010 7:50 am

The above post is about protecting a school network (internal) from using P2P.
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
timreichhart
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Sun Feb 07, 2010 9:11 pm

Re: how block connection of p2p?

Tue Apr 27, 2010 7:14 pm

so your saying you have to use static dns in order to make that work If I am understanding your post correctly.
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Wed Apr 28, 2010 7:55 am

Correct that is the only way I have found to filter out / block DHT or magnetic links.
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
Muqatil
Trainer
Trainer
Posts: 574
Joined: Mon Mar 03, 2008 1:03 pm
Location: London - UK
Contact:

Re: how block connection of p2p?

Wed Apr 28, 2010 9:40 am

You say it's a school, so i may assume the users need only HTTP traffic, POP and SMTP, skype maybe and msn?
Why don't you block everything except the mentioned protocols? wouldn't be it easier than a WorldWar against P2P?
Renato Bernardi

skype: medtech5
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: how block connection of p2p?

Wed Apr 28, 2010 11:04 am

I also wanted to point out that your DNS could be simplified by using regex matching for the name.

Ex. To redirect any traffic for domain utorrent.com and *.utorrent.com
/ip dns static add name=".*\\(^\\|\\.\\)utorrent\\.com" address=127.0.0.1
This matches utorrent.com, a.utorrent.com, a.b.c.utorrent.com, but not abcutorrent.com

Ex. To redirect any traffic for domain vuze.com and *.vuze.com
/ip dns static add name=".*\\(^\\|\\.\\)vuze\\.com" address=127.0.0.1
This way, you can protect against the sub-domains changing, the main domain still get's blocked. Also, you'd only have one rule per domain.

Just a helpful hint.

ADD: So your new rule-set would be:
/ip dns static
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)utorrent\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)vuze\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)bitcomet\\.org" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)bitcomet\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)bitcomet\\.net" ttl=1d
Hope this helps.
Doug
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Wed Apr 28, 2010 12:09 pm

Hi,

This schools policy is to allow all ports outbound except P2P and SMTP/NETBIOS(Due to virus and spam) I have also blocked DNS outbound due to P2P so they can only access DNS from the RB1000.
My current setup for this network is a different firewall from the government firewall so they are alone on this RB1000. So I don't have to worry about restricting ports for the Government offices.


dssmiktik, Thank you! That was a nice thing with the regexp. I will try it later this week or next :)
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: how block connection of p2p?

Wed Apr 28, 2010 12:17 pm

Hi,

This schools policy is to allow all ports outbound except P2P and SMTP/NETBIOS(Due to virus and spam) I have also blocked DNS outbound due to P2P so they can only access DNS from the RB1000.
My current setup for this network is a different firewall from the government firewall so they are alone on this RB1000. So I don't have to worry about restricting ports for the Government offices.


dssmiktik, Thank you! That was a nice thing with the regexp. I will try it later this week or next :)
give him some karma ;)
No answer to your question? How to write posts
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Wed Apr 28, 2010 12:21 pm

Hehehe he is on the way to become Buddah!
Done ;)
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
User avatar
kameelperdza
Member
Member
Posts: 469
Joined: Thu Nov 27, 2008 11:45 am
Location: Oudtshoorn, South Africa

Re: how block connection of p2p?

Sat May 08, 2010 7:49 pm

Hi TKITFrank can you maybe post your complete config thati can use on my mikrotik to block p2p please. thank you
Give me some karma
 
Reefbum
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Sun Apr 23, 2006 12:00 am

Re: how block connection of p2p?

Sat May 08, 2010 11:22 pm

I use the following to help block p2p, I found this a while back searching Google for help on p2p so I can't remember where I found it.

Add Layer7
ip firewall layer7-protocol add comment="" name=p2p_www regexp="^.*(get|GET).+\
(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|\
zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"

ip firewall layer7-protocol add comment="" name=p2p_dns regexp="^.+\
(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|\
zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
Add Firewall rules
ip firewall filter add action=drop chain=forward comment="block p2p_www" disabled=no \
layer7-protocol=p2p_www

ip firewall filter add action=drop chain=forward comment="block p2p_dns" disabled=no \
dst-port=53 layer7-protocol=p2p_dns protocol=udp
This block quite a lot of things so you may need to change to suit your needs.
 
robertfranz
newbie
Posts: 37
Joined: Tue Apr 21, 2009 3:30 am

Re: how block connection of p2p?

Wed May 19, 2010 4:21 am

I took a slightly different approach:

Add source ip of nodes with traffic detected as p2p to BadBoy list for 30 minutes.

Mark subsequent traffic to/from nodes on BadBoy list as 'badboys'

Queue 'badboys' traffic pri 8 limited to 10kbps.

This method relies on the assumption that everything leaks to one extent or another.

Even with a brand new utorrent install and no torrents, starting the client results in at least one packet detected as BT.

If I wanted to be kinder, I could allow certain traffic at normal speed, but this an open ap, and my intent is to encourage the abusers to move along, and prevent their traffic from bogging down other traffic.

I'm thinking about stashing a stack of linux distros behind the counter for the first clown who complains that he can't download the latest Ubuntu iso over the wifi that we provide as a courtesy.
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1369
Joined: Mon Jan 05, 2009 6:23 pm
Location: Worldwide
Contact:

Re: how block connection of p2p?

Wed May 19, 2010 2:23 pm

You are very funny with your distros behind the counter :)

What if a businessman simply has forgotten to shutdown hist p2p application? And he needs to do some important business online? He will have to wait 30 minutes? He will probably do "business" with you ;)
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service
 
robertfranz
newbie
Posts: 37
Joined: Tue Apr 21, 2009 3:30 am

Re: how block connection of p2p?

Wed May 19, 2010 2:50 pm

You are very funny with your distros behind the counter :)

What if a businessman simply has forgotten to shutdown hist p2p application?
Then I will kindly shut it down for him.
And he needs to do some important business online? He will have to wait 30 minutes? He will probably do "business" with you ;)
BT use is prohibited on our public wifi.
Part of the T&C they all click through.
 
di9383
just joined
Posts: 23
Joined: Thu Oct 15, 2009 11:29 am

Re: how block connection of p2p?

Tue Jun 01, 2010 6:29 pm

I have troubles with blocking Utorrent client (version 2.0.2 if it's important). I use the rule shown above and when I look at my connections it seems so, that not all of bit-torrent connections are being recognized.
It seems so, that connection having status U (means Unreplied) are not being recognized. Also, all upload traffic comming from port 18012 in my case is also not recognized and as a result isn't being blocked. You can see it on the screenshot below. So, what is the reason and how to block p2p (specifically bit-torrent and Utorrent client)?

Image
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Thu Jun 03, 2010 1:02 pm

Hi,

Sorry for my late reply I am involved in a large project right now.

Here is a little how to. You have to have defined your L7 before.

Go to the Firewall Mangle.
Create a new rule
Set it as a prerouting chain and set L7 accordingly.
Set Action Jump and Jump to target lets say p2p-traffic
Do this for all the defined L7 filters and also for the default p2p-all

Create a new rule below
Set it as a p2p-traffic chain (you will have to enter it).
Set action to mark connection and set it to lets say p2p


Go to the firewall filter
I have put it on top but this is depending on your own setup.
Create new rule
Set chain to forward and connection mark to p2p, Then action to drop or if you use jump rules set it to jump and then point to the drop rule.

Try this :)
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
User avatar
martini
Member Candidate
Member Candidate
Posts: 296
Joined: Tue Dec 21, 2004 12:13 am

Re: how block connection of p2p?

Thu Jun 03, 2010 1:10 pm

utorrent now use udp with its own protocol, and many p2p filters dont work - dont forget this.
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Thu Jun 03, 2010 1:52 pm

Hi,

Just tired the new version and it is still blocked phuuuu :)
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
di9383
just joined
Posts: 23
Joined: Thu Oct 15, 2009 11:29 am

Re: how block connection of p2p?

Fri Jun 04, 2010 10:08 am

Hi,

Sorry for my late reply I am involved in a large project right now.

Here is a little how to. You have to have defined your L7 before.

Go to the Firewall Mangle.
Create a new rule
Set it as a prerouting chain and set L7 accordingly.
Set Action Jump and Jump to target lets say p2p-traffic
Do this for all the defined L7 filters and also for the default p2p-all

Create a new rule below
Set it as a p2p-traffic chain (you will have to enter it).
Set action to mark connection and set it to lets say p2p


Go to the firewall filter
I have put it on top but this is depending on your own setup.
Create new rule
Set chain to forward and connection mark to p2p, Then action to drop or if you use jump rules set it to jump and then point to the drop rule.

Try this :)
So, according to this post all is needed to define l7 filter for bit-torrent in my case, set jump rule for this filter and default p2p filter, mangle this traffic and drop it. Am I right? If yes, I don't understand if we still need dns rules listed in your post earlier?
Also, according to this article, L7 rules have to be defined for both directions of traffaic (so we should use chain forward). In you case, you have defined L7 rule only in prerouting chain not in the postrouting. Are you shure, your config is OK? May be you just post a part of your config blocking p2p here?
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Fri Jun 04, 2010 10:57 am

Hi,

You still need DNS due to encryption and magnetic links.
Do the rules in the order I posted.

Make sure they are on top so no other rule bypasses the control filter.
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
di9383
just joined
Posts: 23
Joined: Thu Oct 15, 2009 11:29 am

Re: how block connection of p2p?

Fri Jun 04, 2010 3:50 pm

Well, i made as you wrote. As a result, I have all p2p connections marked and get them all into a p2p mangeled connection. But in my block filter statistic I've got only approximetly half of them blocked. And I don't actually understand why.
Also, there is another problem. Some of the p2p connections in connection statistic shown as p2p in connection field. And it is what I need. But some of them have different connection mark (I use some other mangles). p2p rules comes on the top...
Can you show you mangles for p2p and firewall rule (or rules) for blocking them. I suppose, there is a mistake for me. Thanks in advance.

PS May be I have a problem in this part. After mangle your p2p traffic you've got such rule:

chain=forward action=jump jump-target=drop connection-mark=p2p

I don't understand, what is jump-target=drop mean in this case. When I try to make such rule I have only default chains defined. So if I type myself drop in chain section, of course, it's not working. So I just drop this mangled tfaffic like this

chain=forward action=drop connection-mark=p2p

May be this is my problem (i've wrote it earlier, it seems that mangled traffic isn't blocked, or not blocked all of it)? Could you please explain this rule?
 
Stunherald
just joined
Posts: 21
Joined: Sun May 23, 2010 10:38 pm

Re: how block connection of p2p?

Wed Jun 09, 2010 7:45 am

2 TKITFrank: First of all, thanks A LOT for your "howto" (karma++ for you :p ). Second, i have a little question here.

I set all things up, but i need exclude one PC behind RB from this bittorrent blocking because it is our company bt server/client for distributing updates of our products for customers. So, i'll be happy if you can help me in this. (We have RB in our company just few days, so i learning things for now :idea: ). I tried add a "NOT Interface" rule in that drop firewall rule, but it does not help.

Here is my rules exports:
/ip firewall layer7-protocol
add comment="BitTorrent catch" name=torrent regexp=\
    "^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add comment="" name=torrent_announce regexp=^get.+announce.

/ip firewall mangle
add action=jump chain=prerouting comment=BitTorrent disabled=no jump-target=torrent_traffic layer7-protocol=torrent
add action=jump chain=prerouting comment="" disabled=no jump-target=torrent_traffic layer7-protocol=torrent_announce
add action=jump chain=prerouting comment="" disabled=no jump-target=torrent_traffic p2p=all-p2p
add action=mark-connection chain=torrent_traffic comment="" disabled=no new-connection-mark=torrent passthrough=yes

/ip firewall filter
add action=log chain=forward comment="" connection-mark=torrent disabled=no log-prefix=test_bt_drop out-interface=!Ghost
add action=drop chain=forward comment="" connection-mark=torrent disabled=no out-interface=!Ghost
Interface name: Ghost (name of the server :) )
Local IP is: 192.168.4.1

BTW: One more thing ... what about that static DNS entry? I have not set that up because this static settings are for all local users so for our server too.

Thanks for answer
Sorry for my english :)
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Fri Jun 11, 2010 8:33 am

Hi,

Try to put a prerouting rule first in the mangel chain that specifics your server and then jump to a rule below these rules.
Then it should bypass but I never intended to have a bypass when I did the initial setup.

The DNS settings are required to make the full function of my blocking. If you don't use it the block will be ineffective. I don't know if there is a workaround for this.
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
di9383
just joined
Posts: 23
Joined: Thu Oct 15, 2009 11:29 am

Re: how block connection of p2p?

Fri Jun 11, 2010 2:46 pm

So what about this article? Are you shure, we don't need to put mangle rules in forward chain or use postrouting together with prerouting for correct L7 application? Will in this case those rules check the same packets twice?

One more question. How do the mangles work? The same as firewall rules or not?
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Fri Jun 18, 2010 1:02 pm

Correct me if I am wrong but in this case there is no need for postrouting since we only want to block it. So we need to use prerouting to catch it before all else.

The setup is to catch it not to throttle or something like that. I use mangel to mark them and to combined many rules to one. That you later can filter out in forward chain.
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
heviejob
Member Candidate
Member Candidate
Posts: 168
Joined: Mon Nov 30, 2009 4:54 pm

Re: how block connection of p2p?

Thu Sep 02, 2010 12:08 am

Trying to block p2p is really a waste of time. Best thing it prioritize traffic this way you can throttle any traffic you don't want through.

Who is online

Users browsing this forum: Google [Bot] and 75 guests