Block Bit Torrent In Mikrotik
Sunday, July 17, 2011
0
comments
Mikrotik has some built in matching functionality for p2p traffic. You can use this in mangle rules or firewall rules. In mangle, you can mark the packets and then lower their precedence, or stick them in a smaller queue. In the firewall, you can block them all together.
Here’s the rub, bit torrent traffic is almost universally encrypted, so these matching methods will generally not do you too much good. These matches must inspect the packets, and when encrypted they look like so much junk. So what do you do now?
You drop it like you are Fox and bit torrent is “Are you smarter than a fifth grader?”, “Do not disturb”, “Don’t forget the lyrics”, “Hole in the wall”, “MADtv”, “osborns reloaded”, “Prison Break”, “Secret millionaire”, “Sit down, shutup” or “Terminator”. So how do we drop it? I do it in the following ways.
First, we block people from finding torrents
Using MTKs layer 7 inspection(L7), we match http get requests for bit torrent sites and related sites. Here’s my regex:^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid| btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity| bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup| meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*$ |
/ip firewall layer7-protocol add comment="" name=torrent-wwws regexp="^.*(get|GET).+(torrent| thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux| torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes| entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot| flixflux|seedpeer|fenopy|gpirate|commonbits).*$" |
/ip firewall filter add action=drop chain=forward comment="block torrent wwws" disabled=no layer7-protocol=\ torrent-wwws |
As you can see, on the forward chain, I added the L7 torrent-wwws, which was defined earlier. This means anyone trying to browse to any of our specified bit torrent sites will get blocked. Also if their client tries to hit the tracker with a get request, it gets stopped too. Now, just to put a bow on top, lets be a little more devious! Lets block DNS queries based on the same regex.
Here’s the new regex:
^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova| flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes| entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux| seedpeer|fenopy|gpirate|commonbits).*$ |
/ip firewall layer7-protocol add comment="" name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt| entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t| btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq| bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer| fenopy|gpirate|commonbits).*\$" |
/ip firewall filter add action=drop chain=forward comment="block torrent dns" disabled=no dst-port=53 layer7-protocol=torrent-dns protocol=udp |
This way, if they are using a web proxy, they will still get blocked! If their client tries to do any resolution matching this good stuff, it will get blocked too.Using the above method to block along with the standard p2p matching, it looks like you can save around 25% – 50% utilization on traffic. Though, what will the kids do when they can’t download their pornography and movies…I think the internet has no other use?
*Edit* It appears as if Blizzard, makers of WoW, are now only allowing updates via BitTorrent. I’ve written a little exclusion for this that can be found here.
(gsw) .
Categories:
filter rules,
firewall,
mikrotik firewall,
torrent
0 comments:
Post a Comment