P2P Blocking How-to with opnsense?

[sangour]

If anyone can help to block P2P with opnsense !! 

[chemlud]

Snort can detect and block P2P afaik, so Suricata should be able, too...

[sangour]

thinks but you have a tuto for this 

[bartjsmit]

Go through the general IPS tutorial https://docs.opnsense.org/manual/how-tos/ips.html and add 'ET open/emerging-p2p'

Bart...

[Ciprian]

Enabling P2P filtering on suricata, ”ET open/emerging-p2p” is of no use for cases when the .torrent file is already downloaded in the P2P client. When I started uTorrent with a .torrent file already downloaded, the download of the files from peers worked like charm.

For P2P (and other categories) sites filtering I use OpenDNS (now owned by CISCO) and it works effectively. The only downside is that, using free OpenDNS, there is no possibility to except some categories/ individual domains only for some internal users/ IPs. It's an ”block something for EVERYONE” solution.

As an workaround, either you use multiple gateways/ internet providers (public IPs) and set different categories of filtering on each public IP then direct different segments of your internal LAN through those different filtered GW, or pay for the corporate OpenDNS solution, CISCO Umbrella.

But, I repeat myself, there is no way to limit the access to the effective download of files using torrent clients once the effective .torrent file is already downloaded and loaded in the torrent client itself. The combination of OPNsense + IDPS (suricata) with everithing concerning P2P (ET or others) loaded and enabled with action ”block” + OpenDNS web based filtering is of no use. At least, I was not able to stop P2P download of files, I only managed to restrict web access to P2P sites, enough only if there is no .torrent file already in the client (downloaded from home, or copied offline from an external storage (USB stick/ HDD) etc.)!

[pr3p]

I used Intrusion Detection with suricata i downloaded and update rules and block or drop p2p, and with web proxy also i enabled ACL and Blacklist destination domains.You may use a regular expression like http://prntscr.com/fap8d0

and it works like a charm,

[Ciprian]

Hello again!
I have done some further testing, so I'm back with findings, in reply to what you said:

I used Intrusion Detection with suricata i downloaded and update rules and block or drop p2p

YES! More than OK!... I did manage P2P rules to work, and they really work: even with a .torrent file already loaded in client, and even with peers found/ download in progress, when I enable IPS peers are disconnected, tracker gets offline, and download stops completely.

The only thing I missed last time was that I have to enable IPS on LAN interface, not (only) WAN!!! (!)

with web proxy also i enabled ACL and Blacklist destination domains.You may use a regular expression like http://prntscr.com/fap8d0

I don't use proxy at all with OPNsense, is completely disabled. More than this, blocking P2P/ torrent websites is not mandatory for me any more, since even if .torrent files are able to get inside LAN/ downloaded and loaded on clients, it's completely futile for the bandwidth hogs to keep torrent software open.

and it works like a charm,

Now I have another problem (not P2P/ torrent related): When I activate IPS on LAN interface, I have problems with specific traffic from LAN interface to other LAN interfaces (I keep servers on a different LAN segment): RDP connection process is sluggish, intermittently successful, also backup data transfer with Veeam is intermittent, with long complete stops and short low speed effective data transfer. But this is another problem, so I'm not going to expand this off-topic idea. Only that because of this data transfer problems for different purposes I am not able to activate IPS on OPNsense for LAN(s).