Blocking bittorrent at layer 7
-
Hello,
i'm trying to block bittorrent and edonkey protocols from being used from inside my LAN.i tried to create a layer7 group (traffic shaping -> layer7 -> new group)
specifying "block" as action for these 2 protocols.then i went to firewall -> rules and added a floating rule: accept from lan subnet tcp/udp and then in advanced options i chose layer 7 and select the previoysly created layer 7 group.
by saving and applying the configuration i was expecting bittorrent to not work anymore..
trying to download a torrent using transmission client from inside the lan i don't have any problem and traffic passes through the pfsense firewall smoothly.am i doing something wrong?
-
Snort… Emerging threats + P2P blocking seems to have worked for others.
However that may be a cure thats worse than the disease (-; -
considering that i'm fairly concerned about low latency, i don't think an inline-snort would be a good idea…
any reason you may be aware of for which the layer7 filtering is not working? maybe protocol is not recognized? i should try with some plain text protocol first...
-
Yes - Because it doesn't work. (simplistic, but seems true)
Things like that and skype are a pain to identify and block without inflicting painful high CPU use and latency.
-
i guessed so, considering that now most of the clients encrypt the traffic, making the task nearly impossible.
-
Encryption… Randomized ports... Can be TCP or UDP. Peer-to-peer.
Its supposed to be hard.You can restrict ports and protocols and you can white list. Very draconian.
-
a whitelist approach is not applicable due to the high variety of application that use high non well-known ports.. games etc.
-
Waste of time. The only semi-working approach is to set up some daily/weekly/monthly traffic limits.
-
You could limit states per client (I think).
The number of connections maintained by a single user is definitely a sign of torrents/gnutella and other P-2-P.
By limiting states, you limit connections, limits bandwidth drain, helps alleviate network congestion.