cOS Core Application Control with Peer to Peer applications

Last modified on 27 Mar, 2023. Revision 15
This article provides further explanation about using Application Control with Peer to Peer applications. It principally applies to NetWall (cOS Core) firewalls but also has some relevancy to NetShield (cOS Stream) firewalls.
Up to date for
cOS Core 14.00.06
Supported since
cOS Core 10.10
Status OK



Topics covered in this article:

  • BitTorrent filtering.
  • Incoming P2P traffic shaping.

BitTorrent

When you want to detect, and possibly also control or traffic shape, BitTorrent traffic (for example, from the uTorrent client) you must select these applications in Application Control:

  • BitTorrent
  • uTP (Micro Transport Protocol)


It is common to miss out also applying application control to the uTP protocol which is used for transferring files in BitTorrent. If it is missed out, it will seem as if Application Control cannot correctly detect BitTorrent traffic (the speed will not be limited or BitTorrent will still function even if the action is set to block it).

You can read more about uTP at this link: http://en.wikipedia.org/wiki/Micro_Transport_Protocol

Incoming P2P traffic shaping

P2P traffic has the ability to be initiated both from the inside to the outside (which is the expected way) AND also from the outside to the inside (which is why you usually need to set up port forwarding/SAT or Allow policies in a Transparent Mode setup).

This means that if you want to properly traffic shape the P2P traffic, you must setup Application Control to have different Forward and Return pipes, depending on the direction in which the traffic is initiated. If you do not, the inbound and outbound traffic will be mixed in the in/out pipes respectively, and the net result is that your traffic shaping will not function as you expect it to.

A Setup Example

Create two Pipes:
in-pipe, Grouping = Destination IP
out-pipe, Grouping = Source IP

Grouping is needed to be able to run the “pipes -users” command later.

Create two Application Control Rule sets:
P2P_out: Family = peer_to_peer, Fwd=out-pipe, Ret=in-pipe.
P2P_in: Family = peer_to_peer, Fwd=in-pipe, Ret=out-pipe

Outbound IP Policy

On the outbound IP Policy (usually a NAT policy, but an Allow policy in a Transparent Mode scenario), assign the P2P_out rule:
NAT_out NAT lan lannet wan all-nets all_tcpudpicmp AC=P2P_out

For transparent mode setups:
Allow_out Allow lan lannet wan all-nets all_tcpudpicmp AC=P2P_out

Please note that NATing/Allowing all ports (or even all protocols!) like this is considered unsafe. You should do your best to limit what you are letting out from your internal network!

Inbound IP Policy

On the inbound IP Policy (usually an IP Policy with destination translation, but an Allow rule in a Transparent Mode scenario) assign the P2P_in rule:
P2P_in SAT any all-nets core wan_ip “TCP destport=xyz” SetDestinationIP=<P2P_client_ip> AC=P2P_in

For transparent mode setups:
Allow_in wan all-nets lan <P2P_client_ip> AC=P2P_in

Verify correct functioning

When running the P2P software, verify your settings with the CLI commands:

  • "pipe -users in-pipe"
  • "pipe -users out-pipe"

You should not see:

  • IPs from the outside in the out-pipe.
  • IPs from the inside in the in-pipe.

Related articles

CSPN (Clavister Service Provisioning Network) details for license & database updates
17 Nov, 2022 core license updates idp antivirus wcf ipreputation applicationcontrol
Closing existing sessions when cOS Core schedules trigger
2 May, 2023 core rules schedule applicationcontrol



Tagsapplicationcontrolcore