Cisco ZBF: How completely to block torrents (solved!)

Anton Pestov — Tue, 12 Mar 2019 04:23:35 GMT

It is necessary to setup ZBF to forbid UDP of the traffics which contents of a packet corresponds to RegEx expression, for example Mikrotik Rules (see rule No.2):

/ip firewall filter
add action=drop chain=forward disabled=no p2p=all-p2p
add action=drop chain=forward comment="torrent dht out magnet" content=d1:ad2:ad20 disabled=no dst-port=1025-65535 packet-size=95-190 protocol=udp
add action=drop chain=forward comment=info_hash content=info_hash disabled=no dst-port=2170,80 protocol=tcp

Rules 1 and 3 are created in Cisco ZBF. But how to create the rule No.2?

Hi,Are you trying to block

Yadhu Tony — Thu, 03 Jul 2014 04:28:07 GMT

Hi,

Are you trying to block P2P traffic? If so please have a look at this link http://yadhutony.blogspot.in/2012/11/how-to-block-p2p-traffic-on-cisco-router.html

Best Regards,

Yadhu

Hi, YadhuYour post describes

Anton Pestov — Thu, 03 Jul 2014 06:45:14 GMT

Hi, Yadhu

Your post describes generally config rule No. 1:

add action=drop chain=forward disabled=no p2p=all-p2p

I already have this configuration.

Solution - using ZBF + FPM:

Anton Pestov — Tue, 08 Dec 2015 14:36:33 GMT

Solution - using ZBF + FPM:

Attempt to block torrents was successful, but not completely:

1 . Downloading of the *.torrent files (content-type: "application/x-bittorrent") - is blocked

2 . The traffic with requests to list SEEDs of a tracker (... info_hash =... ) - is blocked

3 . The DHT traffic - is blocked.

PEX (the advanced DHT version) - doesn't blocked.

Suddenly to whom it is useful, similar to the rules Mikrotik, Cisco ZBF config + FPM:

parameter-map type regex REGEX-TORRENT-ANNOUNCE

pattern .*[Ii][Nn][Ff][Oo]_[Hh][Aa][Ss][Hh]=.*
parameter-map type regex REGEX-TORRENT-PROHIBIT-DOWNLOAD
pattern .*application\/x-bittorrent.*|.*\.torrent.*

class-map type inspect match-all CLASS-INSPECT-HTTP

match protocol http

class-map type inspect match-any CLASS-INSPECT
match protocol ftp
match protocol ftps
match protocol tftp
match protocol smtp
match protocol pop3
match protocol dns
match protocol https
match protocol http
match protocol sip
match protocol tcp
match protocol udp
match protocol icmp

сlass-map type inspect match-any CLASS-INSPECT-ANY-P2P

match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all CLASS-INSPECT-P2P
match class-map CLASS-INSPECT-ANY-P2P

class-map type inspect http match-all CLASS-HTTP-TORRENT-PROHIBIT-DOWNLOAD

match response header content-type regex REGEX-TORRENT-PROHIBIT-DOWNLOAD

сlass-map type inspect http match-all CLASS-HTTP-TORRENT-ANNOUNCE
match request method get
match request arg regex REGEX-TORRENT-ANNOUNCE

class-map type inspect http match-any CLASS-HTTP-PORT-MISUSE

match request port-misuse p2p
match req-resp protocol-violation

class-map type access-control match-all CLASS-ACCESS-TORRENT-DHT-OUTGOING
match field UDP length range 95 190
match start UDP payload-start offset 0 size 190 string "d1:ad2:id20:"
match field UDP dest-port range 1025 65535

class-map type stack match-all CLASS-STACK-IP-UDP
description *** Stack: [IP [UDP ... ]] ***
match field IP protocol eq 0x11 next UDP

policy-map type inspect http POLICY-HTTP
class type inspect http CLASS-HTTP-TORRENT-ANNOUNCE
reset
log
class type inspect http CLASS-HTTP-PORT-MISUSE
reset
class type inspect http CLASS-HTTP-TORRENT-PROHIBIT-DOWNLOAD
reset
log
policy-map type inspect INSIDE->INTERNET
class type inspect CLASS-INSPECT-P2P
drop
class type inspect CLASS-INSPECT-HTTP
inspect
service-policy http POLICY-HTTP
class type inspect CLASS-INSPECT
inspect
class class-default
drop

policy-map type access-control POLICY-FILTER
class CLASS-ACCESS-TORRENT-DHT-OUTGOING
log
drop all
policy-map type access-control POLICY-STACK
class CLASS-STACK-IP-UDP
service-policy POLICY-FILTER

interface GigabitEthernet0/0

zone-member security INSIDE

interface GigabitEthernet0/1

zone-member security OUTSIDE

service-policy type access-control output POLICY-STACK

zone-pair security INSIDE->INTERNET source INSIDE destination INTERNET
service-policy type inspect INSIDE->INTERNET

topic Cisco ZBF: How completely to block torrents (solved!) in Network Security

Cisco ZBF: How completely to block torrents (solved!)

Hi,Are you trying to block

Hi, YadhuYour post describes

Solution - using ZBF + FPM:

for completely block torrents