Controlling P2P with PF

Odhiambo Washington odhiambo at gmail.com
Mon Jan 19 16:07:19 UTC 2015 

Hello all,

So I found this link while trying to figure out of PF can control P2P -
ttp://www.benhup.com/?mf=freebsd&sf=freebsd8.2-p9_04_peerblock

I tried using it, but I could still download using utorrent from my network.

Does this mean I am beating a dead horse, or I have my filter rules in bad
order or something I am missing?

My pf.conf: for FreeBSD 10.1-RELEASE

I appreciate all advise.

## Options ###

### Macros ###
ext_if = "re1"               # External network interface for IPv4
ext_if6 = "re1"              # External network interface for IPv6
ext_addr = "A.B.C.D"         # External IPv4 address (i.e., global)
int_if = "re0"               # Internal network interface for IPv4
int_if6 = "re0"              # Internal network interface for IPv6
int_addr = "192.168.2.254"   # Internal IPv4 address (i.e., gateway
for private network)
int_network = "192.168.2.0/24"  # Internal IPv4 network
WinSvr2008  = "192.168.2.2"


### Tables ###
# Host local address
table <local> const { 127.0.0.1 }
# IPv4 private address ranges
table <private> const { 10/8, 172.16/12, 192.168/16 }
# Special-use IPv4 addresses defined in RFC3330
table <special> const { 0/8, 14/8, 24/8, 39/8, 127/8, 128.0/16,
169.254/16, 192.0.0/24, 192.0.2/24, 192.88.99/24, 198.18/15, 240/4 }

# Block P2P
# http://www.benhup.com/?mf=freebsd&sf=freebsd8.2-p9_04_peerblock
table <block_p2p> persist file "/etc/pf/block-p2p.pf"


# LIMITS
set limit { frags 30000, states 100000, table-entries 300000 }
### Scrub: Packet normalization ###


# Scrub for all incoming packets
scrub in all
# Randomize the ID field for all outgoing packets
scrub out all random-id
# If you have MTU problem or something like that
#scrub out all random-id  max-mss 1400

### NAT ###
#RDP to WinSvr2008
rdr on $ext_if proto tcp from any to any port 3389 -> $WinSvr2008

# Redirect direct/local web traffic to local web server.
rdr on $int_if proto tcp from 192.168.2.254/32 to 192.168.2.254/32
port 80 -> 192.168.2.254 port 80
rdr on $int_if proto tcp from 192.168.2.254/32 to 192.168.2.254/32
port 443 -> 192.168.2.254 port 443

# Squid Transparent Proxy
# refer http://www.benzedrine.cx/tranint_addr.html
rdr on $int_if proto tcp from $int_network to any port 80 -> $int_addr
port 13128
#rdr on $int_if proto tcp from $int_network to any port 443 ->
$int_addr port 13129

# SMTP redirection
rdr on $int_if proto tcp from $int_network to any port 25 -> $int_addr port 587
rdr on $int_if proto tcp from $int_network to any port 110 -> $int_addr port 110

# Let all other stuff go out
nat on $ext_if from $int_network to ! <private> -> $ext_addr


### Filters ###

# P2P Blocking
block log quick from any to <block_p2p> label "Attempted p2p-sniffer traffic"

# Permit keep-state packets for UDP and TCP on external interfaces
pass out quick on $ext_if proto udp all keep state
pass out quick on $ext_if6 proto udp all keep state
pass out quick on $ext_if proto tcp all modulate state flags S/SA
pass out quick on $ext_if6 proto tcp all modulate state flags S/SA

# Permit any packets from internal network to this host
pass in quick on $int_if inet from $int_network to $int_addr

# Permit established sessions from internal network to any (incl. the Internet)
pass in quick on $int_if inet from $int_network to any keep state
# If you want to limit the number of sessions per NAT, nodes per NAT
(simultaneously), and sessions per source IP
# Please refer to <http://www.openbsd.org/faq/pf/filter.html> for
greater detailed information
#pass in quick on $int_if inet from $int_network to any keep state
(max 30000, source-track rule, max-src-nodes 100, max-src-states 500 )

# Permit and log all packets from clients in private network through NAT
pass in quick log on $int_if all

# Pass any other packets
pass in all
pass out all



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."

More information about the freebsd-pf mailing list