Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking bittorrent at layer 7

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 3 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      Rampage
      last edited by

      Hello,
      i'm trying to block bittorrent and edonkey protocols from being used from inside my LAN.

      i tried to create a layer7 group (traffic shaping -> layer7 -> new group)
      specifying "block" as action for these 2 protocols.

      then i went to firewall -> rules and added a floating rule: accept from lan subnet tcp/udp and then in advanced options i chose layer 7 and select the previoysly created layer 7 group.

      by saving and applying the configuration i was expecting bittorrent to not work anymore..
      trying to download a torrent using transmission client from inside the lan i don't have any problem and traffic passes through the pfsense firewall smoothly.

      am i doing something wrong?

      1 Reply Last reply Reply Quote 0
      • K Offline
        kejianshi
        last edited by

        Snort…  Emerging threats + P2P blocking seems to have worked for others.
        However that may be a cure thats worse than the disease (-;

        1 Reply Last reply Reply Quote 0
        • R Offline
          Rampage
          last edited by

          considering that i'm fairly concerned about low latency, i don't think an inline-snort would be a good idea…

          any reason you may be aware of for which the layer7 filtering is not working? maybe protocol is not recognized? i should try with some plain text protocol first...

          1 Reply Last reply Reply Quote 0
          • K Offline
            kejianshi
            last edited by

            Yes - Because it doesn't work.  (simplistic, but seems true)

            Things like that and skype are a pain to identify and block without inflicting painful high CPU use and latency.

            1 Reply Last reply Reply Quote 0
            • R Offline
              Rampage
              last edited by

              i guessed so, considering that now most of the clients encrypt the traffic, making the task nearly impossible.

              1 Reply Last reply Reply Quote 0
              • K Offline
                kejianshi
                last edited by

                Encryption…  Randomized ports...  Can be TCP or UDP.  Peer-to-peer.
                Its supposed to be hard.

                You can restrict ports and protocols and you can white list.  Very draconian.

                1 Reply Last reply Reply Quote 0
                • R Offline
                  Rampage
                  last edited by

                  a whitelist approach is not applicable due to the high variety of application that use high non well-known ports.. games etc.

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    doktornotor Banned
                    last edited by

                    Waste of time. The only semi-working approach is to set up some daily/weekly/monthly traffic limits.

                    1 Reply Last reply Reply Quote 0
                    • K Offline
                      kejianshi
                      last edited by

                      You could limit states per client (I think).
                      The number of connections maintained by a single user is definitely a sign of torrents/gnutella and other P-2-P.
                      By limiting states, you limit connections, limits bandwidth drain, helps alleviate network congestion.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.