254d block uploading in qBittorrent [Archive] - The FreeBSD Forums
PDA

View Full Version : block uploading in qBittorrent

SIFE
June 6th, 2010, 23:33
i am trying to block uploading in qBittorrent with pf but it 's fail .
pf.conf :

#************************************************* **********************************************#
# #
# Macros #
# #
#************************************************* **********************************************#

# network card
ext_if="sis0"
net_card="sis0"

# tcp port services
tcp_ports="{22, 80 ,https ,domain ,auth ,21 ,3306}"

# udp port services
udp_ports="{domain ,23399}"

# ICMP types
icmp_types="echoreq"

# ip's
local_ip="{192.168.0.0/16, 127.0.0.1}"
#************************************************* **********************************************#
# #
# Tables #
# #
#************************************************* **********************************************#

#table <banned> persist file "/etc/pf/banned"

#************************************************* **********************************************#
# #
# Options #
# #
#************************************************* **********************************************#

#set ruleset-optimization basic
#set optimization normal
set block-policy drop
set skip on lo0
#scrub in on $net_card all fragment reassemble
#scrub on $net_card all reassemble tcp

#************************************************* **********************************************#
# #
# Rules #
# #
#************************************************* **********************************************#

# block any thing in or out
block drop in log(all) on $net_card all
block drop out log(all) on $net_card all

block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF
block out log quick proto udp from any to any port 6881

# passing traffic to sis from trusted ports
#pass in on $net_card from $local_ip to any keep state
pass in on $net_card proto tcp from any port $tcp_ports to any keep state
pass in on $net_card proto {tcp, udp} from $local_ip to $local_ip keep state
pass in on $net_card proto igmp all allow-opts

# pass out traffic to trusted ports
pass out on $net_card proto tcp from any to any port $tcp_ports
pass out on $net_card proto udp from any to any port $udp_ports
pass out on $net_card proto igmp all allow-opts

# pass ICMP 'echoreq' traffic
pass out on $net_card inet proto icmp all icmp-type $icmp_types keep state

# passing ftp packet
pass out on $net_card inet proto tcp from any to any port ftp
pass out on $net_card inet proto tcp from any to any port > 1023

tcpdump output :

[root@localhost /]# tcpdump -n -e -ttt -i pflog0 -vv port 6881
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
00:00:00.000000 rule 8/0(match): block out on sis0: (tos 0x0, ttl 64, id 13266, offset 0, flags [none], proto UDP (17), length 132)
192.168.1.2.6881 > x.x.x.x.6881: UDP, length 104
00:00:01.398401 rule 1/0(match): block out on sis0: (tos 0x0, ttl 64, id 13307, offset 0, flags [none], proto UDP (17), length 93)
192.168.1.2.6881 > x.x.x.x.12956: UDP, length 65
00:00:00.016009 rule 1/0(match): block out on sis0: (tos 0x0, ttl 64, id 13308, offset 0, flags [none], proto UDP (17), length 93)
192.168.1.2.6881 > x.x.x.x.25585: UDP, length 65
00:00:01.012143 rule 1/0(match): block out on sis0: (tos 0x0, ttl 64, id 13334, offset 0, flags [none], proto UDP (17), length 93)
192.168.1.2.6881 > x.x.x.x.42694: UDP, length 65
00:00:06.382915 rule 1/0(match): block out on sis0: (tos 0x0, ttl 64, id 13589, offset 0, flags [none], proto UDP (17), length 93)
192.168.1.2.6881 > x.x.x.x.16696: UDP, length 65
00:05:14.094309 rule 8/0(match): block out on sis0: (tos 0x0, ttl 64, id 18586, offset 0, flags [none], proto UDP (17), length 129)
192.168.1.2.6881 > x.x.x.x.6881: UDP, length 101
DutchDaemon
June 7th, 2010, 00:42
Why are you trying to prevent 50% of the functionality of the bittorrent protocol? Just leeching, no sharing?
SIFE
June 7th, 2010, 05:16
:D ,just making some tests .
SIFE
June 10th, 2010, 18:25
as i know Bitorrent protocol using this range 6881-6999 ,so i drop all packets go out from my net card but no success :
block drop out log quick proto udp from any to any port 6881:6999
DutchDaemon
June 10th, 2010, 21:28
That rule drops traffic originating from your machine. Hint, pf is a stateful packet filter.


The state entry created permits pf(4) to keep track of the original
address for traffic associated with that state and correctly direct
return traffic for that connection.
SIFE
June 11th, 2010, 00:30
do you have a quick solution Mr DutchDaemon ,i found some thing but it is not related to *BSD .
Filtering P2P network traffic with ipp2p (http://www.debian-administration.org/articles/562)
Application Layer Packet Classifier for Linux (http://l7-filter.sourceforge.net/)
DutchDaemon
June 11th, 2010, 01:15
Don't keep state on your 'pass in' rules ('no state') and write specific 'pass out' rules to handle allowed outbound traffic. This is very inefficient (state tables are efficient, because only the initial connection needs to be fully evaluated), but it's the only way to control 'pass inbound / block outbound' situations on a single connection (vice versa). That's about as precise as I want to be.
0