Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Implementing Torrent Blocking with Layer7

    Scheduled Pinned Locked Moved
    Traffic Shaping
    2
    4
    13.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mikeh
      last edited by

      I'm trying to implement bit torrent blocking with the help of Layer 7, to no avail.

      What I've done so far:-

      Created a L7 group, added a rule for bittorrent - action - block.

      I've created a rule in Floating table on the lan interface, action: pass, direction: any, protocol tcp/udp, source: any, dest: any, Layer 7: aforementioned L7 group.

      This does not seem to function - uploads seem slow for the torrents, but I do not know if this is a coincidence or not.

      I've tried clearing the state table as well as adding http to the rule and testing, with no results.

      I'm unsure what else to try? Is it a case that it's doing a fair job of blocking uploads, or is it just not working at all?

      As another route, I tried the traffic shaping wizard (multi-lan, single-wan), setup p2p catch all and gave it 2%. The trouble is that this seemed to apply to all traffic - including HTTP.

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        Hi,

        we talked on IRC some hours ago.

        I did a new test on my system with blocking http traffic on layer7. This is what I did:

        1. FIREWALL -> Traffic Shaper -> Layer7
        2. Create Layer7 rule
        3. Enable
        protocol: http
        structure: action
        behaviour: block
        4. Save

        Create a firewall rule on LAN tab on top of all other rules with protocol TCP/UDP and then scroll down to advanced options and select the layer7 container you created for http blocking.
        No need for floating rules!

        This is working for me. Test with:

        http://www.google.de
        and
        https://www.google.de

        The same way I configured traffic shaper for bittorrent but it is not working.
        As I said on IRC this depends how the bittorrent client establishes connection. Often it is encrypted and so the layer7 filters could not work.

        1 Reply Last reply Reply Quote 0
        • M
          mikeh
          last edited by

          Hi, I do indeed remember.

          That is interesting.

          Have you looked in to any other solutions for Torrent blocking? P2P catchall doesn't seem to be working for me, and appears to have a fairly serious impact on HTTP throughput.

          Is there perhaps a squid blacklist for known torrent-sites and trackers?

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            In other threads there were discussions about only allowing ports which are in general only used for legal traffic (http,https,pop3,…) and the same for traffic shaper.
            Giving high priority to "legal" traffic and only low priority for "unknown" traffic.

            This will not block torrent at all but perhaps slow down it.

            For blocking other downloads I am using squid and squidguard and blocking torrent in URL and the well known filehoster as rapidshare, uploaded.to and so on.

            There are some (free) blacklists for squidguard but they are blocking oftem more than I just want to.
            You can give it a try of course!

            http://www.shallalist.de/
            http://urlblacklist.com/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post