Blocking P2P Torrent Traffic - FAQ?



  • Perhaps a current FAQ on generally important topics

    Setting up a WiFi open access point free to all / hospitality / coffee shop etc. (pick a reason) and would like to block all p2p traffic bit torrent etc. I recd a letter warning about piracy!

    What is the best method and practice

    I just did a fresh install of pfsense downloaded the image burned and formatted and set up disk, noticed right after that it wanted to upgrade itself again. did that on 2.3.4-RELEASE-p1 dated july 14 2017

    So to get to blocking,
    I have read individual port blocking will not work as the torrent programs all look for any open ports.
    Snort? I have seen things like load p2p profiles then no link to an example… I'm not familiar with configuring snort.
    I have seen L7 packet inspection in description only to find out that its been removed.
    I did get an oink code

    Is there a clear and concise FAQ how to implement this for non geeks?

    Thank you

    George



  • 1 - block ports above 1024
    2 - install and enable rule p2p for snort
    3 - enable openappID for snort (rule p2p)



  • I think snort and the rules are loaded, however looking at the services>snort>interface
    blocking is disabled and barnyard2 is disabled and I am still able to torrent ububtux64

    I am getting snort alerts on status dashboard page but no blocking?



  • Don't block ports above 1024. That's stupid.
    You won't stop torrents but you will break other things.

    Just stick with snort or suricata and get the P2P rules blocking for you. Use the snort vrt and openet free sets. I recommend you only use the P2P rules and you might need to.disable some of those.

    Check out the IDS/IPS subforum for specific help getting your rules working.



  • With snort running and p2p libraries linked rebooted machine, still p2p traffic passes, went to pirate bay and transferred ubuntu just fine, logs showed some 2p2 blocking but still transferred the whole 1.6 gig file.

    that could have just as easily been a copyrighted program… I need to STOP it all and I cant control the users... I have to limit them.

    I do have open DNS locked and have p2p blocking there and that partially works but only by dns, not by protocols.

    What do hospitality, hotel, motel, cafe, etc. do to prohibit their customers form doing p2p and torrent stuff...

    I know someone there has a solution...

    Thank you, please help...



  • Your snort is probably simply alerting instead of of blocking. Orisconfigured in some other way.



  • For WAN the snort libraries selected are as follows

    emerging-p2p.rules
    snort_p2p.rules
    snort_pua-p2p.rules
    snort_pua-p2p.so.rules
    openappid-p2p_file_sharing.rules

    I am getting p2p alerts

    "1:2007727
      ET P2P possible torrent download"

    then I will see the ip address come up in the blocked section but transfers continue.

    I was downloading a legal torrent from the pirate bay site of ubuntu to test. I did not even notice a slow down, 10-15 mbit d/l speed.

    Any ideas, surely someone has active p2p blocking working…



  • You are alerting not blocking.

    You need to check out the IDS/IPS subforum. It is not just set it and forget it.


  • LAYER 8 Global Moderator

    @belt9:

    It is not just set it and forget it.

    This could be the IPS slogan ;)

    Love it when users think I just click this IPS button and all set ;) heheheheeh



  • @georgeberz:

    For WAN the snort libraries selected are as follows

    emerging-p2p.rules
    snort_p2p.rules
    snort_pua-p2p.rules
    snort_pua-p2p.so.rules
    openappid-p2p_file_sharing.rules

    I am getting p2p alerts

    "1:2007727
      ET P2P possible torrent download"

    then I will see the ip address come up in the blocked section but transfers continue.

    I was downloading a legal torrent from the pirate bay site of ubuntu to test. I did not even notice a slow down, 10-15 mbit d/l speed.

    Any ideas, surely someone has active p2p blocking working…

    It's definitely working but everything is not stopped so the torrent will still work.  I can verify I see the alerts and blocks from those alerts but a test of a pirate bay torrent still worked. It's a little more complex than simply checking "Checking this option will automatically block hosts that generate a Snort alert"



  • Are you sure it's not just blocking some of the connections that it can detect and not blocking the connections it can't detect?


Log in to reply