Page 1 of 1

Anyone successfull in blocking bittorrent and limewire

Posted: Tue Sep 08, 2009 8:08 pm
by natedogg104
SO i have update to the new version, hoping the p2p filter would work with the firewall chain to drop p2p traffic , no such luck. It doesnt even phase it, anyone that has any of the updated programs can get past that rule.

So next step go and find the L7 patterns and mark the packets/connections so that i can drop em right ? Not lol

The current L7's dont seem to be working to block anything but older versions of the programs.

Does anyone have new L7 exps for bittorrent bitcoment limewire , etc. Im convinced 99% of the traffic to these sites is a bunch of illegal crap. At the very least i need to be able to mark these packets so i can turn in these users when i do get those crappy notices.

This is what i have currently

Bittorrent
^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]

Limewire
^(gnd[\01\02]\?.\?.\?\01|gnutella connect\
/[012]\\.[0-9]\r\
\n|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshar\
e|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: applicat\
ion/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]\?[\
0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?:[\
1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*content-type: application/x-gnutella|.\
..................\?lime)

Limewire paid
^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime)

Anyone have ideas or suggestions to mark or block the packets/connections or both

Marking all traffic and limiting or blocking traffic unkown is not an option been ther done that , and it just causes problems, having to mark everything in the world is cpu intensive and just not practical

So anyone have reg exps that actually work , or another idea let me know

Re: Anyone successfull in blocking bittorrent and limewire

Posted: Wed Sep 09, 2009 1:09 am
by Chupaka
you cannot block encrypted p2p connections shedding hardly any blood, I believe

Re: Anyone successfull in blocking bittorrent and limewire

Posted: Wed Sep 09, 2009 7:40 pm
by natedogg104
I thought if you found the connection when it started before it encrypted you could block it. Any other ideas ,for the moment i just got some software that logs all connections in and out that way at least i can respond to the users when i get those nasty letters. /sigh

We cant block the bad guys , have to monitor the good guys .....

Re: Anyone successfull in blocking bittorrent and limewire

Posted: Thu Sep 10, 2009 1:09 am
by Muqatil
did you try this?
/ip firewall mangle
add action=mark-connection chain=forward comment=P2P disabled=no new-connection-mark=P2P-CONN p2p=all-p2p passthrough=yes
add action=mark-connection chain=forward comment="P2P Torrent" disabled=no layer7-protocol=bittorrent new-connection-mark=P2P-CONN passthrough=yes
add action=mark-connection chain=forward comment="P2P Emule" disabled=no layer7-protocol=edonkey new-connection-mark=P2P-CONN passthrough=yes
add action=add-dst-to-address-list address-list="P2P Address" address-list-timeout=5m chain=forward comment="Identify P2P Connections fonts for 5 mins" connection-mark=P2P-CONN disabled=no dst-address-list="!IP Medi@net" src-address-list="IP Medi@net"
add action=mark-connection chain=forward comment="IP P2P" disabled=no new-connection-mark=IP2P_CONN passthrough=yes src-address-list="P2P Address"
add action=mark-connection chain=forward comment="IP P2P" disabled=no dst-address-list="P2P Address" new-connection-mark=IP2P_CONN passthrough=yes
add action=mark-packet chain=forward comment=IP2P connection-mark=IP2P_CONN disabled=no new-packet-mark=IP2P passthrough=yes
add action=mark-packet chain=forward comment=P2P connection-mark=P2P-CONN disabled=no new-packet-mark=P2P passthrough=no
I just mangle and limit them, i don't block them completly... but it's up to you
try this one
P.S. It's a little cpu intensive so use it in a powerful board and maybe in a separate box (transparent bridge)

Re: Anyone successfull in blocking bittorrent and limewire

Posted: Thu Sep 10, 2009 3:32 am
by natedogg104
Ty ill try that

Re: Anyone successfull in blocking bittorrent and limewire

Posted: Thu Sep 10, 2009 5:59 am
by rboerom
you can control P2P if you configure your QoS as a firewall
you mark everything you know , everything else, is P2P

IT WORKS GREAT, ARES CONTROL, TORRENT CONTROL