Home / server / Questions / 840094
In Process
Mantykora 7
Asked: 2017-03-24 01:11:15 +0800 CST

Firewall (VyOS) block p2p

  • 772

I have VyOS router, I want to block p2p traffic. Which ports must be blocked?. I tried 6881-6999, but it does not work. Thank you in advance for your help

set firewall name "FIREWALL-IN" 

set firewall name "FIREWALL-IN" default-action drop

set firewall name "FIREWALL-IN" rule 10 action accept
set firewall name "FIREWALL-IN" rule 10 state established enable
set firewall name "FIREWALL-IN" rule 10 state related enable


set firewall name "FIREWALL-IN" rule 100
set firewall name "FIREWALL-IN" rule 100 description "p2p - block 6881-6999"
set firewall name "FIREWALL-IN" rule 100 action drop
set firewall name "FIREWALL-IN" rule 100 protocol tcp_udp
set firewall name "FIREWALL-IN" rule 100 source port 6881-6999
set firewall name "FIREWALL-IN" rule 100 state established enable
set firewall name "FIREWALL-IN" rule 100 state related enable

UPDATE1

A

set firewall name "FIREWALL-IN" rule 100
set firewall name "FIREWALL-IN" rule 100 description "p2p - block 6881-6999"
set firewall name "FIREWALL-IN" rule 100 action drop
set firewall name "FIREWALL-IN" rule 100 protocol tcp_udp
set firewall name "FIREWALL-IN" rule 100 source port 6881-6999

B

set firewall name "FIREWALL-OUT" rule 100
set firewall name "FIREWALL-OUT" rule 100 description "p2p - block 6881-6999"
set firewall name "FIREWALL-OUT" rule 100 action drop
set firewall name "FIREWALL-OUT" rule 100 protocol tcp_udp
set firewall name "FIREWALL-OUT" rule 100 source port 6881-6999

enter image description here

UPDATE 2

set firewall name "FIREWALL-IN" 

set firewall name "FIREWALL-IN" default-action drop

set firewall name "FIREWALL-IN" rule 1 action accept
set firewall name "FIREWALL-IN" rule 1 state established enable
set firewall name "FIREWALL-IN" rule 1 state related enable

set firewall name "FIREWALL-IN" rule 10
set firewall name "FIREWALL-IN" rule 10 description "Allow http, https"
set firewall name "FIREWALL-IN" rule 10 action accept
set firewall name "FIREWALL-IN" rule 10 protocol tcp
set firewall name "FIREWALL-IN" rule 10 destination port 80,443
set firewall name "FIREWALL-IN" rule 10 state new enable
set firewall name "FIREWALL-IN" rule 10 state established enable
set firewall name "FIREWALL-IN" rule 10 state related enable

set firewall name "FIREWALL-IN" rule 15
set firewall name "FIREWALL-IN" rule 15 description "Allow dns"
set firewall name "FIREWALL-IN" rule 15 action accept
set firewall name "FIREWALL-IN" rule 15 protocol tcp_udp
set firewall name "FIREWALL-IN" rule 15 destination port 53
set firewall name "FIREWALL-IN" rule 15 state new enable
set firewall name "FIREWALL-IN" rule 15 state established enable
set firewall name "FIREWALL-IN" rule 15 state related enable

set firewall name "FIREWALL-IN" rule 20
set firewall name "FIREWALL-IN" rule 20 description "pop3,imap"
set firewall name "FIREWALL-IN" rule 20 action accept
set firewall name "FIREWALL-IN" rule 20 protocol tcp
set firewall name "FIREWALL-IN" rule 20 destination port 110,993,995
set firewall name "FIREWALL-IN" rule 20 state new enable
set firewall name "FIREWALL-IN" rule 20 state established enable
set firewall name "FIREWALL-IN" rule 20 state related enable

set firewall name "FIREWALL-IN" rule 30
set firewall name "FIREWALL-IN" rule 30 description "smtp"
set firewall name "FIREWALL-IN" rule 30 action accept
set firewall name "FIREWALL-IN" rule 30 protocol tcp
set firewall name "FIREWALL-IN" rule 30 destination port 25,587,465
set firewall name "FIREWALL-IN" rule 30 state new enable
set firewall name "FIREWALL-IN" rule 30 state established enable
set firewall name "FIREWALL-IN" rule 30 state related enable

set firewall name "FIREWALL-IN" rule 100 description "p2p - block 6881-6999"
set firewall name "FIREWALL-IN" rule 100 action drop
set firewall name "FIREWALL-IN" rule 100 protocol tcp_udp
set firewall name "FIREWALL-IN" rule 100 destination port 6881-6999
set firewall name "FIREWALL-IN" rule 100 state established enable
set firewall name "FIREWALL-IN" rule 100 state related enable
firewall

1 Answers

  1. I tried 6881-6999, but it does not work

    Could you explain how it is not working?

    In general, you will probably want to deny all but specifically authorised outbound connections - in other words, whitelist connections, rather than allow everything with exceptions (i.e. blacklist).

    Also, you are only blocking inbound traffic, but should be blocking the outbound connections (via the FORWARD or OUTPUT chain, depending on your situation - I think FORWARD would be appropriate, assuming I understand your setup (LAN with your VyOS router protecting it)).

    This is because P2P clients may be reaching out to establish connections, rather than only waiting for incoming connections - bear in mind P2P mostly uses UDP, which means either end can establish the connection, in practice.

    In other words, you need to do egress filtering, as well as ingress filtering

    To be effective, you really need to make sure your egress rules are as minimal as possible.

    Basically:

    • you probably have to allow HTTP and HTTPS out, e.g. tcp/80 and tcp/443
    • you may need to allow DNS out, e.g. udp/53 and tcp/53 to specifically designated servers (i.e only allow DNS flows to servers you are OK with your clients using).
    • you may also need to allow some mail-related flows out, e.g. submission (tcp/587), SMTPS (tcp/465).

    You have edited your output rules, but if I was you, I would edit your forward rules, to look something like this:

    -A FORWARD -m state --state ESTABLISHED -j ACCEPT -A FORWARD -m tcp -p tcp -m state --state NEW -m multiport --dports 80,443,587 -j ACCEPT -A FORWARD -m udp -p udp -m state --state NEW -d 8.8.8.8 -p 53 -j ACCEPT -A FORWARD -j DROP

    • 0