P2P Blocking How-to with pfSense?

  • Basically someone told me to check out pfSense because its open source and has a good reputation.  To give everyone a idea of what I am wanting, I live in an apartment complex, I share my internet with others around me, they SOME pitch in for the bill.  I currently use Sophos to keep people from doing torrents and slowing everyone else down.  Sophos works GREAT! just about 99% of all P2P traffic is trapped and blocked.  But the problem is that Sophos only allows 50 IP addresses, and well that goes quick when you have gaming systems, netflix, etc. So I am looking for a new solution that can be as effective as Sophos is with blocking P2P traffic.

    From my testing pfSense is so-so not so good at blocking it, I have been searching forums for the last few days trying to find the right combo of addons.  I currently am using pfSense, Squid, and snort.  Snort does block the IP's but I dont want to block the IP only the traffic.

    If anyone can help me with this I would be forever thankful.

  • LAYER 8 Global Moderator

    What exactly are you doing in snort - pretty sure you can just load the p2p rules in snort and there you go.

  • From what I can read about Sophos, it sounds like it primarily just blocks popular P2P ports. Snort does not work this way, it actually monitors the traffic and tries to detect P2P. If you want top block ports, there are some simple rules you can setup. Mind you, people can change their default ports to get around these. In the end, even the best companies that highly specialize in this kind of stuff can't block P2P because of randomized ports and encrypted data that is so easy to setup.

  • Actually Sophos UTM does deep packet inspection and stops it, I have hammered it with non standard ports, and even encrypted, and Sophos has always stopped P2P in its tracks..  The way Sophos stops P2P so well, it start with Standard ports > Blocks Trackers > DPI for anything torrent related. <this catches="" the="" non="" standard="" ports,="" and="" encrypted="">I would think that pfSense could do this as well, it is probably just me since I am a novice when it comes to pfSense.  Thus why I am posting here for any suggestions…

    Johnpoz I will work with snort some more and see if I cant figure out how to block with out banning the ip.  I have the P2P rules loaded, and it even shows in the log that it sees it, but it does not stop it.. I may just not have it set up right..

    Thank you for the suggestions..</this>

  • You can't DPI encrypted data. Of course is there are obvious patterns like unique packet sizes(which may fall under some usages of "DPI") during setup, that can be tracked. My assumption is their method is riddled with false positives, but it doesn't matter because encrypted traffic on non-standard ports is not very common. I've read a lot of recent presentations from companies like snort, about how nearly impossible it is to properly identify encrypted P2P traffic with a low false positive rate.

    You could try to NAT each of the customers to reduce the number of IPs and allow Sophos to work within its 50 IP limit.

  • This explains some of the challenges.

    But there are things the researcher of this paper failed to mention, which is all Torrents have in common and Harvey66 mention, they do still have common characteristics or patterns.

    Like Harvey66 mentions, let the identifiable traffic go through Pfsense unhindered, the unidentifiable traffic can be NAT'ted through the Sophos box and then you can blame the Sophos box.