Filtering Bittorrent

minimike · Oct 22, 2010

Hi

I have found a script for Linux http://www.lowth.com/rope/BlockingBittorrent for how to keep out Bittorrent out of the Network. Is there something for IPFW what can do the same?

SIFE · Oct 23, 2010

The only solution i know is to block the Bittorrent port range, Bittorrent uses UDP protocol.
Its range between 6881-6999 and 6881-6889, depend in the version of Bittorrent, the rule you have to add it will be like so:

Code:

block drop in inet proto udp from any to any port 6881<>6889
block drop in inet proto udp from any to any port 6881<>6999

graudeejs · Oct 23, 2010

SIFE said:
The only solution i know is to block the Bittorrent port range, Bittorrent uses UDP protocol.
Its range between 6881-6999 and 6881-6889

That is highly subjective

phoenix · Oct 23, 2010

SIFE said:
The only solution i know is to block the Bittorrent port range, Bittorrent uses UDP protocol.

Its range between 6881-6999 and 6881-6889, depend in the version of Bittorrent, the rule you have to add it will be like so:

Every torrent client I've used allows you to select the ports to use for torrent, dht, etc. It's very rare to actually find port 6881 in use anymore, due to generic firewall blocks on that port.

For example, none of my torrent clients use those ports.

Code:

block drop in inet proto udp from any to any port 6881<>6889
block drop in inet proto udp from any to any port 6881<>6999

OP asked for IPFW rules, not PF.

Code:

ipfw add deny udp from any to any 6881-6999

SIFE · Oct 24, 2010

Every torrent client I've used allows you to select the ports to use for torrent, dht, etc. It's very rare to actually find port 6881 in use anymore, due to generic firewall blocks on that port.

I was talk in general

.

OP asked for IPFW rules, not PF.

I didn't note that, may be I am tired.

minimike · Oct 25, 2010

Is there no any pendant for ROPE with IPFW or PF? If not I have to use Linux for Firewall

To close a port for outgoing Bittorrent or Kazaa is stupid. Clients could change their working ports and use that garbage again.

terminus · Oct 25, 2010

Try your luck with solution from nuclight:
http://nuclight.livejournal.com/125747.html

It is based on detection of torrent peers addresses by cutting them from tracker announces using divert sockets and ipfw tee rules. Article is in Russian, but script is in perl and sh

goshanecr · Oct 23, 2018

Up! Is there working way to block|shape|detect torrent traffic with ipfw()?

SirDice · Oct 24, 2018

Yeah, block everything outgoing. Really. It's rather futile to only block specific ports because all bittorrent clients can be configured to run on any port. So the only way to block it is to block everything.

goshanecr · Oct 24, 2018

Maybe blocking based on protocol analyzing? On mikrotik there is existing firewall rules with packet inspection.

SirDice · Oct 24, 2018

goshanecr said:
Maybe blocking based on protocol analyzing?

Then I'll run a bittorrent client over a VPN or SSH tunnel. Good luck trying to analyze encrypted packets.

For everything you can think of trying to prevent it I can find several ways of circumventing it. The only thing I can't circumvent is a total block of everything. Which is what's typically done on larger networks, no workstation will ever get a direct connection to the outside world.

goshanecr · Oct 24, 2018

SirDice, my users not so IT professionals like you

Also I'm found such netgraph solution (not tests it yet) HERE:

Code:

#!/bin/sh

ngctl mkpeer ipfw: bpf 2 main
ngctl name ipfw:2 utp_filter
ngctl msg utp_filter: setprogram { thisHook=\»main\» ifMatch=\»\» ifNotMatch=\»main\» bpf_prog_len=12 bpf_prog=[ { code=48 jt=0 jf=0 k=0 } { code=84 jt=0 jf=0 k=240 } { code=21 jt=0 jf=8 k=64 } { code=48 jt=0 jf=0 k=9 } { code=21 jt=0 jf=6 k=17 } { code=40 jt=0 jf=0 k=6 } { code=69 jt=4 jf=0 k=8191 } { code=177 jt=0 jf=0 k=0 } { code=64 jt=0 jf=0 k=20 } { code=21 jt=0 jf=1 k=2147483647 } { code=6 jt=0 jf=0 k=65535 } { code=6 jt=0 jf=0 k=0 } ] }

ipfw add 180 netgraph 2 udp from any to any iplen 0-128

With following refinement for bpf program:

Code:

{ thisHook=\»main\» ifMatch=\»\» ifNotMatch=\»main\» bpf_prog_len=18 bpf_p rog=[ { code=48 jt=0 jf=0 k=0 } { code=84 jt=0 jf=0 k=240 } { code=21 jt=0 jf=14 k=64 } { code=48 jt =0 jf=0 k=9 } { code=21 jt=0 jf=5 k=17 } { code=40 jt=0 jf=0 k=6 } { code=69 jt=3 jf=0 k=8191 } { co de=177 jt=0 jf=0 k=0 } { code=64 jt=0 jf=0 k=20 } { code=21 jt=6 jf=0 k=2147483647 } { code=32 jt=0 jf=0 k=49 } { code=21 jt=4 jf=0 k=1114207316 } { code=32 jt=0 jf=0 k=52 } { code=21 jt=2 jf=0 k=1114 207316 } { code=32 jt=0 jf=0 k=41 } { code=21 jt=0 jf=1 k=1114207316 } { code=6 jt=0 jf=0 k=65535 } { code=6 jt=0 jf=0 k=0 } ] }

leebrown66 · Oct 24, 2018

I've used security/snort on a linux box for this to drop packets. The detection is suprisingly simple (/announce in plaintext I think), but yes you have to inspect the payload, so raw IPFW can't do this. I like that netgraph aproach though, I'll have to look into that as I'm building a new version of our IPS's with FreeBSD to replace linux.

As SirDice says it's possible to circumvent, but all I care about is protecting our public IP address from DCMA notices.

Filtering Bittorrent

minimike

SIFE

graudeejs

phoenix

SIFE

minimike

terminus

goshanecr

SirDice

Administrator

goshanecr

SirDice

Administrator

goshanecr

leebrown66