Firewall Against P2P

zimbofury · Fri Sep 23, 2011 12:04 pm

hi all

i have created a simple firewall to block p2p for an internet cafe. is this practical? wondering what other services are used mostly for me to add to the accept range.

[admin@MikroTik] > ip
[admin@MikroTik] /ip> firewall
[admin@MikroTik] /ip firewall> filter
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp

1 ;;; default configuration
chain=input action=accept connection-state=established
in-interface=ether1-gateway

2 ;;; default configuration
chain=input action=accept connection-state=related
in-interface=ether1-gateway

3 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

4 chain=forward action=accept connection-mark=http

5 chain=forward action=accept connection-mark=DHCP

6 chain=forward action=accept connection-mark=DNS

7 chain=forward action=accept connection-mark=FTP

8 chain=forward action=accept connection-mark=bgp

9 chain=forward action=accept connection-mark=http

10 chain=forward action=accept connection-mark=imap

11 chain=forward action=accept connection-mark=msn

12 chain=forward action=accept connection-mark=pop3

13 chain=forward action=accept connection-mark=smtp

14 chain=forward action=accept connection-mark=ssh

15 chain=forward action=accept connection-mark=ssl

16 chain=forward action=accept connection-mark=yahoo

17 chain=forward action=accept connection-mark=https

18 chain=forward action=drop

regards

jandafields · Fri Sep 23, 2011 11:31 pm

Are all of those connection marks actually setup in the router? As for p2p, a lot of p2p travels over ssl and http, so you can't really block it.

jahidhk · Sun Sep 25, 2011 9:58 pm

this will block p2p
just change src-address & time if needed

/ip firewall layer7-protocol
add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.
add comment="" name=BITTORENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|\
get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/\
|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\\r\\n"
/ip firewall filter
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
1h30m chain=forward comment=" ______Bittorent_____" disabled=no \
layer7-protocol=BITTORENT src-address=192.168.0.10-192.168.0.254 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no layer7-protocol=\
BITTORENT reject-with=icmp-network-unreachable time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=yes layer7-protocol=\
BITTORENT reject-with=icmp-network-unreachable time=\
0s-1h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent Announce" \
address-list-timeout=1h30m chain=forward comment=______Announce____ \
disabled=no layer7-protocol=BITTORRENT_ANNOUNCE src-address=\
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no layer7-protocol=\
BITTORRENT_ANNOUNCE reject-with=icmp-network-unreachable time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=yes layer7-protocol=\
BITTORRENT_ANNOUNCE reject-with=icmp-network-unreachable time=\
0s-1h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent udp" \
address-list-timeout=1h30m chain=forward comment="____6881-6999 udp___" \
disabled=no dst-port=6881-6968,6970-6999 protocol=udp src-address=\
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=\
6881-6968,6970-6999 protocol=udp reject-with=icmp-network-unreachable \
time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent tcp" \
address-list-timeout=1h30m chain=forward comment="____6881-6999 tcp___" \
disabled=no dst-port=6881-6968,6970-6999 protocol=tcp src-address=\
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=\
6881-6968,6970-6999 protocol=tcp reject-with=icmp-network-unreachable \
time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent all-p2p" \
address-list-timeout=1h30m chain=forward comment=\
__________All-p2p__________ disabled=no p2p=all-p2p src-address=\
192.168.0.10-192.168.0.254 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no p2p=all-p2p \
reject-with=icmp-network-unreachable time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="Torrent cleaning" disabled=no \
dst-port=10000-65500 protocol=tcp reject-with=icmp-network-unreachable \
src-address-list=Torrent src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=udp reject-with=icmp-network-unreachable src-address-list=\
Torrent src-port=10000-65500 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent Announce" src-port=10000-65500 time=\
9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=udp reject-with=icmp-network-unreachable src-address-list=\
"Torrent Announce" src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent udp" src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=udp reject-with=icmp-network-unreachable src-address-list=\
"Torrent udp" src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent tcp" src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=udp reject-with=icmp-network-unreachable src-address-list=\
"Torrent tcp" src-port=10000-65500 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
Torrent src-port=1000-5000 time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent Announce" src-port=1000-5000 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent udp" src-port=1000-5000 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent tcp" src-port=1000-5000 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
"Torrent all-p2p" src-port=1000-5000 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat

CCDKP · Wed Sep 28, 2011 5:24 pm

add comment="" name=BITTORENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|\
get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/\
|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\\r\\n"

That regex filter is broken and won't catch most torrent seeding. it should be:

add comment="" name=BITTORENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|\
    get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/\
    |GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\\r\\n"

It's a bit of a long post, but there is a LOT of good information for solving this here: http://forum.mikrotik.com/viewtopic.php?f=2&t=21178

zimbofury · Thu Nov 17, 2011 4:02 pm

Thanks for the posts guys.

There does seem to be a hitch though. All works fine but then mails stop sending the device needs to be rebooted and everything then comes right. The link is on a VSAT connection with just less that 550kbps and i was wondering if it had more to do with that and the load the LAN is giving. There are about 20 pcs. Im not asking for troubleshooting on the LAN, just if my config could cause this problem.

Regards

jandafields · Thu Nov 17, 2011 6:44 pm

Thanks for the posts guys.

There does seem to be a hitch though. All works fine but then mails stop sending the device needs to be rebooted and everything then comes right. The link is on a VSAT connection with just less that 550kbps and i was wondering if it had more to do with that and the load the LAN is giving. There are about 20 pcs. Im not asking for troubleshooting on the LAN, just if my config could cause this problem.

Regards

Check the cpu usage and see if it is high on the mikrotik.

Firewall Against P2P

Firewall Against P2P

Re: Firewall Against P2P

Re: Firewall Against P2P

Re: Firewall Against P2P

Re: Firewall Against P2P

Re: Firewall Against P2P