Our customers demand for p2p blocking for their network infrastructure. Typical
question is that whether pfSense can block P2P traffic?. Whether it can do L7 filtering.? Advantage with pfSense is that it can achieve this p2p filtering in three ways.
- Block all other ports other than required browsing ports like DNS, HTTP and HTTPS using firewall rules
- Limit p2p traffic to lowest speed with traffic shaping bandwidth limiter option.
- Use an IDS/IPS like snort or surikata to detect and block p2p traffic.
The third option is more fool proof and this article is about the that option. Blocking network p2p traffic with snort IPS.
Assuming that you already have a working pf Sense installation. Below are the steps
to be followed.Install snort package from the package manager as follows:
After this one click installation, we will have snort sub-menu from services.
Now, we need to get the Oinkcode for getting the snort signatures or rule sets.
Oinkcode is nothing but api key for ruleset access.For this we need to register an account with http://www.snort.org. You can find your Oinkcode from your account profile as below:
You can enter the Oinkcode as below in the Global settings.
With the free subscription, you should be able to enable use both Snort GPLV2
rules and Emerging threats open rules( ET Open). For ETpro , we need
paid subscription. Below is the screen-shot for reference.
After this step, update the rule-set from the updates menu. The updates may take
a little time. After the updates the rules list should be similar as below.
Next task is to enable snort on the required interfaces. I would prefer to select
both WAN and LAN interfaces to have better impact. Make sure to select block offenders and kill states to block the p2p peer IPs.
Also you may select both source and destination (BOTH) IP for blocking. Make sure that, you have a proper pass-list is in place to enable this. Your pass-list will be by-passed from the rule sets. After this we need to enable the categories on each enabled interface. By default ‘Resove Flowbits’ is selected. Keep this as it is. Uncheck ‘Use IPS policy’if you are only particular about blocking p2p traffice, as that will enable other default rule set and may not be required. Also if you select ‘Use IPS policy’ we wont be able to manually select rule-set from ‘Snort Text Rules’ and ‘Snort SO Rules’.
Select the relevant p2p traffic from all the Snort rule sets.
I didn’t find any rules under ‘Snort p2p rules’ under ‘Snort text rules’ category.
So I didn’t select that one. After saving the categories section, you will get
granular control over each category under Interface’s Rules menu. For WAN it
is ‘WAN Rules’ as below. You will get more customization options under ‘Emerging
p2p rules’ set. You may have to make custom selections based on requirements.
Applying the changes will reload the rules to memory with changes. Update
the similar changes on all the required interfaces. I kept the other parameters
default. At this point if everything is fine, you will start getting the alerts under alerts menu.Alerts is the right place to know status of your Snort setup. Start any of the p2pclient on your LAN computer and watch the alerts page, you will get similar alerts.
Since, we configured to block the IPs from p2p connections, by this time we should
have got blocked IPs on the blocked page as below.
Any false positive can be removed from the above IP list by clicking on ( ‘x’ )
remove option. While testing with a torrent client (Deluge), we should get
And see that your blocked IP entries are growing, and as it
grows snort becomes more and more efficient to block P2P traffic.