Application Control and Peer to Peer applications (10.x)

Security Gateway Articles and How to's
Locked
Tomas
Posts: 34
Joined: 15 Sep 2008, 15:57
Location: Clavister HQ - Örnsköldsvik

Application Control and Peer to Peer applications (10.x)

Post by Tomas » 19 Dec 2012, 10:15

This How-to applies to:
  • Clavister Security Gateway cOS Core 10.10 or later
Topics covered in this document
  • Bittorrent
    Incoming P2P traffic shaping
Bittorrent
When you want to detect, and possibly also traffic shape, Bittorrent traffic, e.g. from the uTorrent software, you must select these applications:
* bittorrent
* utp (Micro Transport Protocol)

It is common to miss the utp protocol, which is used for transferring files, and then it looks as if the Application Control can't detect and handle the Bittorrent traffic (the speed will not be limited or the application will still function even if it is "blocked".

Read more about utp here http://en.wikipedia.org/wiki/Micro_Transport_Protocol


Incoming P2P traffic shaping

P2P traffic has the ability to be initiated both from the inside to the outside (which is the expected way) AND from the outside to the inside (which is why you usually need to setup port forwarding/SAT or Allow rules in a Transparent Mode setup).

This means that if you want to properly traffic shape the P2P traffic, you must setup Application Control to have different Forward and Return pipes, depending on the direction of which the traffic is initiated. If you do not, the inbound and outbound traffic will be mixed in the in/out pipes respectively, and the net result is that your traffic shaping will not function as you expect it to.

High level example

Create Pipes
in-pipe, Grouping = Destination IP
out-pipe, Grouping = Source IP

Grouping is needed to be able to run the "pipes -users" command later.

Create two Application Control Rule sets:
P2P_out: Family = peer_to_peer, Fwd=out-pipe, Ret=in-pipe.
P2P_in: Family = peer_to_peer, Fwd=in-pipe, Ret=out-pipe

Outbound IP Rules
On the outbound IP Rule (usually a NAT rule, but an Allow rule in a Transparent Mode scenario), assign the P2P_out.

NAT_out NAT lan lannet wan all-nets all_tcpudpicmp AC=P2P_out

For transparent setups:
Allow_out Allow lan lannet wan all-nets all_tcpudpicmp AC=P2P_out

Please note that NAT/Allowing all ports (or all protocols!) like this is considered unsafe. You should do your best to limit what you are letting out from your internal network!

Inbound IP Rules
On the inbound IP Rule (usually a SAT/Allow IP Rule pair or an IP Policy with destination translation, but an Allow rule in a Transparent Mode scenario), assign the P2P_in.

P2P_in SAT any all-nets core wan_ip "TCP destport=xyz" SetDestinationIP=<P2P_client_ip> AC=P2P_in
P2P_in Allow wan all-nets core wan_ip "TCP destport=xyz" AC=P2P_in

For transparent setups:
Allow_in wan all-nets lan <P2P_client_ip> AC=P2P_in

Verify functionality
Verify your settings with the CLI commands "pipe -users in-pipe" and "pipe -users out-pipe" when you are running the P2P software.

You should not see:
* IPs from the Outside in the out-pipe
* IPs from the inside in the in-pipe

Locked