Application Control with Peer to Peer applications

Last modified on 1 Dec, 2022. Revision 11
Up to date for
cOS Core 14.00.06
Supported since
cOS Core 10.10
Status OK



Topics covered in this article:

BitTorrent

When you want to detect, and possibly also control or traffic shape, BitTorrent traffic (for example, from the uTorrent client) you must select these applications in Application Control:


It is common to miss the uTP protocol which is used for transferring files, and then it will seem as if Application Control cannot correctly detect BitTorrent traffic (the speed will then not be limited or the application will still function even if the action is set to block it).

You can read more about uTP here: http://en.wikipedia.org/wiki/Micro_Transport_Protocol

Incoming P2P traffic shaping

P2P traffic has the ability to be initiated both from the inside to the outside (which is the expected way) AND also from the outside to the inside (which is why you usually need to set up port forwarding/SAT or Allow policies in a Transparent Mode setup).

This means that if you want to properly traffic shape the P2P traffic, you must setup Application Control to have different Forward and Return pipes, depending on the direction in which the traffic is initiated. If you do not, the inbound and outbound traffic will be mixed in the in/out pipes respectively, and the net result is that your traffic shaping will not function as you expect it to.

A Setup Example

Create two Pipes:
in-pipe, Grouping = Destination IP
out-pipe, Grouping = Source IP

Grouping is needed to be able to run the “pipes -users” command later.

Create two Application Control Rule sets:
P2P_out: Family = peer_to_peer, Fwd=out-pipe, Ret=in-pipe.
P2P_in: Family = peer_to_peer, Fwd=in-pipe, Ret=out-pipe

Outbound IP Policy

On the outbound IP Policy (usually a NAT policy, but an Allow policy in a Transparent Mode scenario), assign the P2P_out rule:
NAT_out NAT lan lannet wan all-nets all_tcpudpicmp AC=P2P_out

For transparent mode setups:
Allow_out Allow lan lannet wan all-nets all_tcpudpicmp AC=P2P_out

Please note that NATing/Allowing all ports (or even all protocols!) like this is considered unsafe. You should do your best to limit what you are letting out from your internal network!

Inbound IP Policy

On the inbound IP Policy (usually an IP Policy with destination translation, but an Allow rule in a Transparent Mode scenario) assign the P2P_in rule:
P2P_in SAT any all-nets core wan_ip “TCP destport=xyz” SetDestinationIP=<P2P_client_ip> AC=P2P_in

For transparent mode setups:
Allow_in wan all-nets lan <P2P_client_ip> AC=P2P_in

Verify correct functioning

When running the P2P software, verify your settings with the CLI commands:

You should not see:

Related articles

CSPN (Clavister Service Provisioning Network) details for license & database updates
17 Nov, 2022 core license updates idp antivirus wcf ipreputation applicationcontrol