cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1984
Views
0
Helpful
4
Replies

Cisco ZBF: How completely to block torrents (solved!)

Anton Pestov
Level 1
Level 1

It is necessary to setup ZBF to forbid UDP of the traffics which contents of a packet corresponds to RegEx expression, for example Mikrotik Rules (see rule No.2):

/ip firewall filter
add action=drop chain=forward disabled=no p2p=all-p2p
add action=drop chain=forward comment="torrent dht out magnet" content=d1:ad2:ad20 disabled=no dst-port=1025-65535 packet-size=95-190 protocol=udp
add action=drop chain=forward comment=info_hash content=info_hash disabled=no dst-port=2170,80 protocol=tcp

Rules 1 and 3 are created in Cisco ZBF. But how to create the rule No.2?

4 Replies 4

Yadhu Tony
Level 1
Level 1

Hi,

Are you trying to block P2P traffic? If so please have a look at this link http://yadhutony.blogspot.in/2012/11/how-to-block-p2p-traffic-on-cisco-router.html

Best Regards,

Yadhu

 

Regards,
Tony

http://yadhutony.blogspot.com

Hi, Yadhu

Your post describes generally config rule No. 1:

add action=drop chain=forward disabled=no p2p=all-p2p

I already have this configuration. 

Anton Pestov
Level 1
Level 1

Solution - using ZBF + FPM:

 

Attempt to block torrents was successful, but not completely:

1 . Downloading of the *.torrent files (content-type: "application/x-bittorrent") - is blocked

2 . The traffic with requests to list SEEDs of a tracker (... info_hash =... ) - is blocked

3 . The DHT traffic - is blocked.

PEX (the advanced DHT version)  - doesn't blocked.

 

Suddenly to whom it is useful, similar to the rules Mikrotik, Cisco ZBF config + FPM:

 

parameter-map type regex REGEX-TORRENT-ANNOUNCE

 pattern .*[Ii][Nn][Ff][Oo]_[Hh][Aa][Ss][Hh]=.*
parameter-map type regex REGEX-TORRENT-PROHIBIT-DOWNLOAD
 pattern .*application\/x-bittorrent.*|.*\.torrent.*

!

class-map type inspect match-all CLASS-INSPECT-HTTP

 match protocol http

class-map type inspect match-any CLASS-INSPECT
 match protocol ftp
 match protocol ftps
 match protocol tftp
 match protocol smtp
 match protocol pop3
 match protocol dns
 match protocol https
 match protocol http
 match protocol sip
 match protocol tcp
 match protocol udp
 match protocol icmp

!

сlass-map type inspect match-any CLASS-INSPECT-ANY-P2P

 match protocol gnutella signature
 match protocol kazaa2 signature
 match protocol fasttrack signature
 match protocol bittorrent signature
class-map type inspect match-all CLASS-INSPECT-P2P
 match class-map CLASS-INSPECT-ANY-P2P

!

class-map type inspect http match-all CLASS-HTTP-TORRENT-PROHIBIT-DOWNLOAD

 match  response header content-type regex REGEX-TORRENT-PROHIBIT-DOWNLOAD

сlass-map type inspect http match-all CLASS-HTTP-TORRENT-ANNOUNCE
 match  request method get
 match  request arg regex REGEX-TORRENT-ANNOUNCE

class-map type inspect http match-any CLASS-HTTP-PORT-MISUSE

 match  request port-misuse p2p
 match  req-resp protocol-violation

!

class-map type access-control match-all CLASS-ACCESS-TORRENT-DHT-OUTGOING
 match field UDP length range 95 190
 match start UDP payload-start offset 0 size 190 string "d1:ad2:id20:"
 match field UDP dest-port range 1025 65535

!

class-map type stack match-all CLASS-STACK-IP-UDP
 description *** Stack: [IP [UDP ... ]] ***
 match field IP protocol eq 0x11 next UDP

!

policy-map type inspect http POLICY-HTTP
 class type inspect http CLASS-HTTP-TORRENT-ANNOUNCE
  reset
  log
 class type inspect http CLASS-HTTP-PORT-MISUSE
  reset
 class type inspect http CLASS-HTTP-TORRENT-PROHIBIT-DOWNLOAD
  reset
  log
policy-map type inspect INSIDE->INTERNET
 class type inspect CLASS-INSPECT-P2P
  drop
 class type inspect CLASS-INSPECT-HTTP
  inspect
  service-policy http POLICY-HTTP
 class type inspect CLASS-INSPECT
  inspect
 class class-default
  drop

!

policy-map type access-control POLICY-FILTER
 class CLASS-ACCESS-TORRENT-DHT-OUTGOING
   log
   drop all
policy-map type access-control POLICY-STACK
 class CLASS-STACK-IP-UDP
  service-policy POLICY-FILTER

!

interface GigabitEthernet0/0

 zone-member security INSIDE

interface GigabitEthernet0/1

 zone-member security OUTSIDE

 service-policy type access-control output POLICY-STACK

!

zone-pair security INSIDE->INTERNET source INSIDE destination INTERNET
 service-policy type inspect INSIDE->INTERNET

!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: