Community discussions

MUM Europe 2020
 
crt
newbie
Topic Author
Posts: 29
Joined: Tue Dec 12, 2006 1:01 am

P2P obfuscated protocol : maybe a solution

Wed Jan 17, 2007 10:54 pm

Hi there,

hope that the community can say if i was wrong or is the right way:

According to the Macgaiver post, i set up the two mangle rules with the mangle tags "p2p_packet" and "p2p_connection". in /ip firewall filter i drop the packets and still here nothing of new,

I create a address list called "p2p_blacklist", after i code as first rule of my firewall:
/ ip firewall filter add chain=forward src-address=10.1.2.0/24 dst-address=!10.1.2.0/24 packet-mark=p2p_packet action=add-dst-to-address-list  address-list=p2p_blacklist address-list-timeout=12h 
(assuming that my clients are in 10.1.2.0/24 block and i don't want add in the p2p_blacklist the dst-address of the local /24 network, the not-dst-address is for this purpose...)

and after again:
/ip firewall filter add chain=forward dst-address-list=p2p_blacklist action=drop
I assume that not *all* the traffic is encrypted, or maybe is true that the first packed of a crypto connection is marked by ROS, so the dst-address is for sure a P2P source...
.. the dynamic list is growing and maybe i have a solution :) Please experts here judge this and tell me if i'm right... assuming RB532 have enough memory to handle the list :)

Don't forget to delete the 0.0.0.0/0 when create the address list, elsewhere IMHO everything is dropped.

Regards,
.:[CRT]:. - old coders never die, just terminate & stay residents.[/code]
 
User avatar
savagedavid
Trainer
Trainer
Posts: 310
Joined: Thu Aug 25, 2005 12:58 pm
Location: Cape Town, South Africa
Contact:

Wed Jan 17, 2007 11:33 pm

Why dont you add the "add to address list" rule in your mangle rather than in the firewall since the mangle happens before the firewall filter.
 
crt
newbie
Topic Author
Posts: 29
Joined: Tue Dec 12, 2006 1:01 am

Thu Jan 18, 2007 12:16 am

Why dont you add the "add to address list" rule in your mangle rather than in the firewall since the mangle happens before the firewall filter.
Because i'm playing with filter rules when i had the flash of this rule ^_^.

BTW, now i move the rule in mangle/prerouting.
I note that browsing web pages is quite slowly. Is because the firewall need to compare approx. 300 ip addresses (approx. 1 hour of rule work) ??

.:[CRT]:. - old coders never die, just terminate and stay residents.
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Thu Jan 18, 2007 12:31 am

We have an address-list with over 100,000 entries (for smtp greylisting test) and it seems to work fine.

Sam
 
User avatar
savagedavid
Trainer
Trainer
Posts: 310
Joined: Thu Aug 25, 2005 12:58 pm
Location: Cape Town, South Africa
Contact:

Thu Jan 18, 2007 4:26 pm

I very much doubt an address list will cause slow browsing - unless you have created a loop in your filter rules - but then you will notice very high CPU activity.

Who is online

Users browsing this forum: EdPa, vstrkz and 28 guests