1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

complete blocking of p2p

Discussion in 'Tomato Firmware' started by bigjohnny, Jun 20, 2007.

  1. bigjohnny

    bigjohnny LI Guru Member

    Hey guys,
    just bought a WRT54GL and flashed it to tomato. This forum was a great help so far.

    anyway, i want to know what the best setup to block all possible p2p programs would be.

    so far I did an access restriction for:

    All IP2P Filters

    and a keyword filter for: torrent and announce
    I also disabled uPnP (is that even necessary?)

    But i just checked that i could still download torrents (quite slow though).
    Is there any way to completely block them (and other p2p-traffic)?

    Or as a last resort would it be possible to block all ports and just make exceptions for every single port, that i need (like dns, http, etc)? If so, what would be the best/most efficient way to do it? I guess that would take care of all p2p (and everything else, that's not explicitely allowed).

    Thanks for your help.
  2. GeeTek

    GeeTek Guest

    White lists and a service blocker that can recognize traffic by the same methods QOS recognizes it are 2 populularly requested Tomato features.
  3. mikester

    mikester Network Guru Member

    Under access restriction create a rule with keyword blocking - add the words announce, tracker, torrent.

    There's a thread I posted earlier about blocking spam - follow those instructions on setting up the keyword block. Your list should contain 3 words; announce, tracker, torrent.

    If you use the complete list in that posting it will block a lot of spam for you.
  4. larsrya8

    larsrya8 LI Guru Member

    Won't that block any legitimate sites that use those one of those three words in the address? Like... researching the Chevrolet Tracker? Or a Google search with any of those words?
  5. roadkill

    roadkill Super Moderator Staff Member Member

    it will block anything with that words so I guess it will...
  6. Toxic

    Toxic Administrator Staff Member

    easiest way is block all and allow only critical apps you need.
  7. azeari

    azeari LI Guru Member

    well.. one thing of note is layer 7 filters aren't especially good at filtering out p2p traffic, so ur best option is probably blocking all ports.

    Here you'll probably want to allow a few standard protocols
    21 : ftp
    53 : dns
    80 : http
    443 : https

    and a few nonstandard protocols(this is optional)
    22 : ssh
    23 : telnet
    25 : smtp(simply mail transfer protocol)
    110 : pop3
    1080 : socks
    8080 : common http proxies

    Assuming blocking all except the standard protocols, your rule should block
    you might need to split it up though, cuz i think its too long to fit into 1 entry (=
  8. roadkill

    roadkill Super Moderator Staff Member Member

    oh yeah and I think the UPNP daemon will bypass this so you need to turn it off.
  9. bigjohnny

    bigjohnny LI Guru Member

    Thanks for the replies so far.

    yeah, white lists would be a great thing to have.
    i think i will stick to roadkills script. but can you guys tell me where i should put the script? I guess somewhere in Administration->Scripts, but where exactly?

    And how would i change the following line, so that it blocks only 2 ips (for example and
    clientstargeted = ""
    is there a scripting-guide available for beginners like me?
  10. Toxic

    Toxic Administrator Staff Member

  11. mikester

    mikester Network Guru Member

    Hi Roadkill, won't your script just block pretty much everything? i.e. https, messenger etc. won't work if you block all those port ranges

    Port blocking won't always work - some torrent programs use random/changing ports.

    Most torrents use packet headers containing the words "announce", "tracker", "torrent" which is why this method works well - at least here!
  12. roadkill

    roadkill Super Moderator Staff Member Member

    Hi Mikester,
    HTTPS is left open and Messenger will connect at port 80 if it recognize that it has no connectivity.
    everything is blocked except certain ports I simply implemented the idea which was specified at azeari's post to IPtables instead of configuring it via Access Restrictions.
    bigjohnny: you should put it in Administriction->Scripts->Firewall
    there should be a smarter way to specify target IP groups but I suck at IPtables.
  13. bigjohnny

    bigjohnny LI Guru Member

    it's me again.
    is there any way to erase the logs from the QoS->View Details-Section?
  14. GeeTek

    GeeTek Guest

    Those are not logs. That is live traffic.

Share This Page