Peer to peer apps blocking



  • i want to block p2p apps like bittorrent and the likes on my pfsense driven device. Could anyone please help me achieve this.

    thanks



  • That is not easy to do since Bittorrent uses a variety of ports & encryption.  The only sure way that I know of to do it would be to block everything and then whitelist valid traffic.  With the traffic shaper, you can set it so that unclassified traffic is given very little bandwidth or none at all.



  • @KOM:

    The only sure way that I know of to do it would be to block everything and then whitelist valid traffic.  With the traffic shaper, you can set it so that unclassified traffic is given very little bandwidth or none at all.

    could you elaborate more on the above please…



  • Well, you can either craft a list of firewall rules that only allows common protocols like HTTP/S, POP, SMTP, NTP, etc etc and block all else, or you can create a traffic shaper via Firewall - Traffic Shaper.  Run through the Traffic Shaper wizard and you will get to a page where you can specify allowed protocols and what to do with unclassified traffic.



  • then its better to allow valid address with valid ports and deny the rest…the L7 filtering for bittorrent seems not a very good tool...



  • was just doing the first option.
    =created alias for group of ports Ports_allow
    =edit my firewall rules but in the destination i couldnt see an option to insert Ports_allow created earlier…what is available is port range.



  • Don't waste your time with L7 rules and Bittorrent.  It's difficult and unreliable.

    If you have an alias for your allowed port, you would use that alias in your firewall rule in the section labelled Destination Port Range.



  • I know..but i already mentioned i dont know where to put those defined ports..the alias defined is not available on the list



  • got it now…thanks a lot...

    btw is there any common list of common known ports used by a say a normal office...



  • Depends on the office.  Some could get by with only HTTP/HTTPS.  Others with VoIP phones may need a whole range if ports.  You have to think about things like external time servers using NTP.  Open up a few known ports and block everything else, then wait for someone to complain that something isn't working.  Figure out what's being blocked and write a rule for it to make the broken app work again.  Rinse, repeat.


Log in to reply