有些 Torrent 連線是無法完全封鎖,但可以採用限制流量的方式,讓它慢.........................慢的下載。
/ip firewall layer7-protocol
add name=L7-Torrent regexp="^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]"
/queue tree
add limit-at=32k max-limit=32k name=Torrent-Download packet-mark=Torrent-Conn parent=global priority=5 queue=default
/ip firewall filter
add action=add-src-to-address-list address-list=Torrent-Add address-list-timeout=2m chain=forward layer7-protocol=L7-Torrent
在 v6.39 後廠拿掉了對 p2p 阻擋的功能
add action=add-src-to-address-list address-list=Torrent-Add address-list-timeout=2m chain=forward p2p=all-p2p
add action=add-src-to-address-list address-list=Torrent-Add address-list-timeout=2m chain=forward p2p=bit-torrent
/ip firewall mangle
add action=mark-connection chain=prerouting comment=Torrent-Conn dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 new-connection-mark=Torrent-Conn protocol=tcp src-address-list=Torrent-Add
add action=mark-connection chain=prerouting dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 new-connection-mark=Torrent-Conn protocol=udp src-address-list=Torrent-Add
在 v6.39 後廠拿掉了對 p2p 阻擋的功能
add action=mark-connection chain=prerouting new-connection-mark=Torrent-Conn p2p=all-p2p src-address-list=Torrent-Add
add action=mark-connection chain=prerouting new-connection-mark=Torrent-Conn p2p=bit-torrent src-address-list=Torrent-Add
add action=mark-packet chain=prerouting connection-mark=Torrent-Conn new-packet-mark=Torrent-Conn passthrough=no
針對原廠拿掉封鎖 p2p 的功能,可以採用 Layer7 的方式加減擋掉一些連線:
/ip firewall layer7-protocol
add name=p2p_www regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*$"
add name=p2p_dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meg anova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="p2p download" disabled=no layer7-protocol=p2p_www new-packet-mark="p2p download" passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=p2p_dns new-packet-mark="p2p download" passthrough=no
/queue simple
add name="p2p download" target="" parent=none packet-marks="p2p download" priority=8/8 limit-at=0/0 max-limit=1k/1k burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s bucket-size=0.1/0.1 queue=default-small/default-small total-queue=default-small
備註:
這裡的 p2p download policy 是用 queue 方式,也可以在 filter 用 drop 方式試試:
add action=drop chain=forward comment="dropping p2p download" packet-mark="p2p download
沒有留言:
張貼留言