2017年6月5日 星期一

MikroTik RouterOS (Layer7 Protocol) 封鎖 Torrent、p2p 下載 Policy

總是會有人利用公司的網路下載 Torrent 載點,在試過下列的 Policy 之後效果還不錯。

有些 Torrent 連線是無法完全封鎖,但可以採用限制流量的方式,讓它慢.........................慢的下載。

/ip firewall layer7-protocol
add name=L7-Torrent regexp="^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]"

/queue tree
add limit-at=32k max-limit=32k name=Torrent-Download packet-mark=Torrent-Conn parent=global priority=5 queue=default

/ip firewall filter
add action=add-src-to-address-list address-list=Torrent-Add address-list-timeout=2m chain=forward layer7-protocol=L7-Torrent
在 v6.39 後廠拿掉了對 p2p 阻擋的功能
add action=add-src-to-address-list address-list=Torrent-Add address-list-timeout=2m chain=forward p2p=all-p2p
add action=add-src-to-address-list address-list=Torrent-Add address-list-timeout=2m chain=forward p2p=bit-torrent

/ip firewall mangle
add action=mark-connection chain=prerouting comment=Torrent-Conn dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 new-connection-mark=Torrent-Conn protocol=tcp src-address-list=Torrent-Add
add action=mark-connection chain=prerouting dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 new-connection-mark=Torrent-Conn protocol=udp src-address-list=Torrent-Add
在 v6.39 後廠拿掉了對 p2p 阻擋的功能
add action=mark-connection chain=prerouting new-connection-mark=Torrent-Conn p2p=all-p2p src-address-list=Torrent-Add
add action=mark-connection chain=prerouting new-connection-mark=Torrent-Conn p2p=bit-torrent src-address-list=Torrent-Add

add action=mark-packet chain=prerouting connection-mark=Torrent-Conn new-packet-mark=Torrent-Conn passthrough=no


針對原廠拿掉封鎖 p2p 的功能,可以採用 Layer7 的方式加減擋掉一些連線:

/ip firewall layer7-protocol
add name=p2p_www regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*$"

add name=p2p_dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meg anova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"

/ip firewall mangle
add action=mark-packet chain=prerouting comment="p2p download" disabled=no layer7-protocol=p2p_www new-packet-mark="p2p download" passthrough=no

add action=mark-packet chain=prerouting disabled=no layer7-protocol=p2p_dns new-packet-mark="p2p download" passthrough=no

/queue simple
add name="p2p download" target="" parent=none packet-marks="p2p download" priority=8/8  limit-at=0/0 max-limit=1k/1k burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s bucket-size=0.1/0.1 queue=default-small/default-small total-queue=default-small

備註:
這裡的 p2p download policy 是用 queue 方式,也可以在 filter 用 drop 方式試試:
add action=drop chain=forward comment="dropping p2p download" packet-mark="p2p download





沒有留言:

張貼留言

OCS Inventory 匯出資料到 Google 試算表(依電腦設備類型)

OCS Inventory 匯出到 Google 試算表的程式是從網路上其他高手分享出來( 參考資料出處 ),並依個人需求調整。 如要取用請注意,因程式是用 python 寫的,程式段落可能會移位導致無法正常運作。 下列程式調整SELECT電腦 設備類型 為Noteboo...