For people using mikrotik gear in HSMM networks like HAMNET etc currently testing these rules to block all P2P and more specifically bittorrent;
/ip firewall layer7-protocol add name=p2p_dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy\ |gpirate|commonbits).*$" add name=ssl regexp="^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)" add name=bittorrent2 regexp="^(\x13bittorrent protocol)" add name=directconnect regexp="^(\$mynick |\$lock |\$key )" add name=p2p_www regexp="^.*(get|GET).+\\r\ \n(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\ \$"
/ip firewall mangle add action=jump chain=prerouting comment="all p2p" jump-target=p2p-service p2p=all-p2p add action=jump chain=prerouting comment="l7: directconnect" jump-target=p2p-service layer7-protocol=directconnect add action=jump chain=prerouting comment="encrypted (ssl) on other then https port" connection-state=new dst-port=!443 jump-target=p2p-service layer7-protocol=ssl protocol=tcp add action=jump chain=prerouting comment="l7: bittorrent2" jump-target=p2p-service layer7-protocol=bittorrent2 add action=jump chain=prerouting comment="bittorrent: announce_peers" content=announce_peers jump-target=p2p-service add action=jump chain=prerouting comment="bittorrent: info_hash" content=info_hash jump-target=p2p-service add action=jump chain=prerouting comment="bittorrent: getpeers" content=getpeers jump-target=p2p-service add action=jump chain=prerouting comment="bittorrent: torrent" content=torrent jump-target=p2p-service add action=jump chain=prerouting comment="bittorrent: tracker" content=tracker jump-target=p2p-service add action=jump chain=prerouting comment="dns: block torrentsite resolving" dst-port=53 jump-target=p2p-service layer7-protocol=p2p_dns protocol=udp add action=jump chain=prerouting comment="http: block torrentsite GET" dst-port=80 jump-target=p2p-service layer7-protocol=p2p_www protocol=tcp add action=jump chain=prerouting comment="download van .torrent files" content="\r\nContent-Type: application/x-bittorrent" jump-target=p2p-service protocol=tcp src-port=80 add action=jump chain=prerouting comment="DHT magnet links" content=d1:ad2:id20: dst-port=1025-65535 jump-target=p2p-service packet-size=95-190 protocol=tcp add action=mark-connection chain=p2p-service comment="markeer alle bovenstaande p2p rules voor firewall" new-connection-mark=p2p passthrough=no
/ip firewall filter add action=drop chain=forward comment="drop p2p marked packets" connection-mark=p2p
WARNING: This is mostly layer 7 packet inspection and will put a lot of load on your CPU depending on the bandwith. Currently running this on a CCR16 with 10mbit load and 1% cpu usage. To compare, on an RB1200 this would push the cpu to 100%
Also note this will effectively block all traffic containing the word "torrent" and "tracker" and so on and might not be what you want (eg in a chat session or email) And ofcourse this does not distinct between legal p2p (like downloading debian via torrents) and illigal p2p (like the example from brian)
Why block this at all ? On our HSMM network in Belgium several hamclubs have a 5ghz link to the HSMM and DHCP running on indoor secured wifi ap's. People bring their own laptops and sometimes one of them has a bittorrent client running minimized (in the systemtray) on it, but forgets to disable it before connecting. Ofcourse the bittorrent client does what it is designed to and starts to transfer data.
We have our own connection to the internet for 44.144 and experiment with using them as public ip's on the internet, so no outbound traffic passes through UCSD and inbound traffic should not pass through UCSD since our announcement is more specific then 44/8.
We also use a traffic shaper to cap all 44.144 internet traffic to 1mbit up & down per user, since it is not meant to be used as a replacement for commercial internet.
We are currently also thinking of putting up a portal page where they are warned to disable all p2p clients and such and an "I Agree" button, and maybe even a form where people should enter their callsign, however this is easily "spoofed".
More firewall rules, additions or adjustments are always welcome.
73s Robbie ON4SAX
On Tue, Nov 26, 2013 at 10:35 PM, Brian Rogers n1uro@n1uro.ampr.org wrote:
(Please trim inclusions from previous messages) _______________________________________________ Greetings;
On Tue, 2013-11-26 at 12:55 -0800, Brian Kantor spake:
[snip]
Date: Tue, 26 Nov 2013 20:19:33 +0000 From: IP-Echelon Compliance notices.warner@ip-echelon.com To: bk29@ucsd.edu Subject: Notice of Claimed Infringement - Case ID 1335xxxxx Type: BitTorrent
Actually this shows a very possible 2-fold issue:
Use of Torrent = need for IP Security 101 class again.
Routing issue may be occuring by the end 44-net user. A properly
configured 44-net system hitting a commercial IP should source as their commercial IP, not their 44-net IP. Not only does that keep traffic at UCSD down but most likely would improve the speed at the users end as well.
There is a third issue but that's too obvious and I don't need to point that out. :)