Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Peer to peer apps blocking

    Scheduled Pinned Locked Moved Traffic Shaping
    10 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      ozlecz
      last edited by

      i want to block p2p apps like bittorrent and the likes on my pfsense driven device. Could anyone please help me achieve this.

      thanks

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        That is not easy to do since Bittorrent uses a variety of ports & encryption.  The only sure way that I know of to do it would be to block everything and then whitelist valid traffic.  With the traffic shaper, you can set it so that unclassified traffic is given very little bandwidth or none at all.

        1 Reply Last reply Reply Quote 0
        • O
          ozlecz
          last edited by

          @KOM:

          The only sure way that I know of to do it would be to block everything and then whitelist valid traffic.  With the traffic shaper, you can set it so that unclassified traffic is given very little bandwidth or none at all.

          could you elaborate more on the above please…

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            Well, you can either craft a list of firewall rules that only allows common protocols like HTTP/S, POP, SMTP, NTP, etc etc and block all else, or you can create a traffic shaper via Firewall - Traffic Shaper.  Run through the Traffic Shaper wizard and you will get to a page where you can specify allowed protocols and what to do with unclassified traffic.

            1 Reply Last reply Reply Quote 0
            • O
              ozlecz
              last edited by

              then its better to allow valid address with valid ports and deny the rest…the L7 filtering for bittorrent seems not a very good tool...

              1 Reply Last reply Reply Quote 0
              • O
                ozlecz
                last edited by

                was just doing the first option.
                =created alias for group of ports Ports_allow
                =edit my firewall rules but in the destination i couldnt see an option to insert Ports_allow created earlier…what is available is port range.

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  Don't waste your time with L7 rules and Bittorrent.  It's difficult and unreliable.

                  If you have an alias for your allowed port, you would use that alias in your firewall rule in the section labelled Destination Port Range.

                  1 Reply Last reply Reply Quote 0
                  • O
                    ozlecz
                    last edited by

                    I know..but i already mentioned i dont know where to put those defined ports..the alias defined is not available on the list

                    1 Reply Last reply Reply Quote 0
                    • O
                      ozlecz
                      last edited by

                      got it now…thanks a lot...

                      btw is there any common list of common known ports used by a say a normal office...

                      1 Reply Last reply Reply Quote 0
                      • KOMK
                        KOM
                        last edited by

                        Depends on the office.  Some could get by with only HTTP/HTTPS.  Others with VoIP phones may need a whole range if ports.  You have to think about things like external time servers using NTP.  Open up a few known ports and block everything else, then wait for someone to complain that something isn't working.  Figure out what's being blocked and write a rule for it to make the broken app work again.  Rinse, repeat.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.