P2P Blocking and Port Blocking - Torrents

[pr3p]

Hi im new to opnsense and im just converted our ClearOS gateway to OPNsense, any guide on the following


1. how to block P2P on the gateway with firewall
2. how to bock all ports and allow certain ports only on the gateway/opnsense (this is an alternative way to block p2p and only allow certain ports to be used).


Thanks and looking for your fast response.

[franco]

Hi there,

File sharing is elusive and hard to block. This is a fact.

The following page is in German, but it has some ideas on locking down P2P by allowing only basic network usage:

http://www.heise.de/ct/hotline/Filesharing-blockieren-1436278.html

The latter part is interesting, saying that blocking file-sharing is a multi-million dollar business for commercial vendors. It's very hard to find free alternatives that are effective.


Cheers,
Franco

[pr3p]

Thanks franco for this one, but i was able to block p2p with firewall on clearOS.

1. Firewall Incoming - The Firewall Incoming Connections page lets you open a port (or service) on your server. For instance, if you want to run your own public web server, you must open port 80 on the firewall!

2.Firewall Outgoing - block all outgoing traffic specified allowed destination.
From the Firewall Blocking page, you can block certain kinds of traffic from leaving your network.  You have two ways to block traffic i) by port or ii) by IP address/domain.

Question: so is this possible on opnsense block all port and just open what services or port needed to lockdown the network?

[franco]

Yes, that's what I wrote.

(1) is enabled by default for WAN.

(2) is disabled by default for LAN (it's considered a trusted zone), but you can adjust your rules accordingly. OPTn interfaces have this enabled by default.

You can import IP or Domain lists (remote or local) as aliases. You can use ports to block traffic. All you need to do is create a whitelist-style ruleset for the network you're trying to lock against P2P.

You can do URL filtering based on HTTP(S) with the Proxy.

You can do IPS filtering with your or someone else's snort/suricata rules.


Cheers,
Franco

[pr3p]

@franco yes can you post a guide or tutorials on this one like i would like to block all port and allow port 80 and port 22 only, i was new to opnsense and pfsense so im still adjusting on the configuration and firewall rule, thanks and looking for your fast response.

[franco]

We don't have a specific document for your use case, but here is the alias setup that allows you to specify your whitelist ports:

https://docs.opnsense.org/manual/aliases.html

Afterwards, you can use that alias to allow your target interface in the firewall rules (Firewall: Rules) to only "pass" (action) these type of packets (destination port set to the alias).

If you want this on LAN, make sure to disable the default pass rules for IPv4 and IPv6.


Cheers,
Franco

[pr3p]

i try to block all port and open necessary services or port i needed but i try to ping any url or ip cant ping, i was able t o browse internet, @franco any configuration or port need to open?

[fabian]

you need to pass ICMP type echo request for sending a ping. Note that you will need two rules for that: One with ICMP + IPv4 and ICMPv6 + IPv6

[pr3p]

Thanks, and how im just new to opnsense on firewall rule what services seems i don't see any list of choices for icmp

[fabian]

ICMP is in the same select box as TCP/UDP (at the top of the firewall rule edit page)

[Zeitkind]

Thanks franco for this one, but i was able to block p2p with firewall on clearOS.

No, you only thought you have. Any recent and decent P2P-Client will use eg. port 80 or 443 for communication and use TLS to harden a detection. So even a deep packet inspection might fail because of the encryption and masquerading of the data packets.
With the right client, you can tunnel anything via port 80 or 443 (or 110, 465, ...). Wether it's Skype, TeamViewer or OpenVPN, you can tunnel through anything as long as their targets are reachable. It's an illusion to stop decent p2p clients as long as "normal web access" is granted.

[fabian]

With the right client, you can tunnel anything via port 80 or 443 (or 110, 465, ...). Wether it's Skype, TeamViewer or OpenVPN, you can tunnel through anything as long as their targets are reachable. It's an illusion to stop decent p2p clients as long as "normal web access" is granted.

Web can be filtered by an ICAP service which detects this traffic but it may be hard to create suitable signatures.
Other protocols may not be allowed to any destination (for example mail is only allowed to the mail server of your company).

[Zeitkind]

There are some p2p clients around which masquerade as a standard webserver access until TLS is active. And at this point, you either give up or force a https-proxy and break security. So, yes, you might be able to stop simple p2p clients, but sure not any of those tunneling ones. Some even try to masquerade as DNS querries..

[fabian]

Auch die Tunnel lassen sich blockieren - das geht aber mit den Boardmitteln nicht. DNS lässt sich mit einem Proxy wie RubyDNS filtern, Echo Requests (Ping) können komplett verboten werden (wenn benötigt kann man das ja über die Oberfläche der Firewall machen).

Nur der HTTPS-Proxy ist dann eben auch Pflicht.

Fabian

[pr3p]

Thanks, and how im just new to opnsense on firewall rule what services seems i don't see any list of choices for icmp

ok i got thanks Fabian