Dport is sufficient, at least in my case, that will deny the appropriate port. the sport is not needed really, but can be, but I’ve seen adverse effects when web browsing and basic stuff. If p2p is still in use, then it is probably using a lower port than those specified. P2P port hops, and can go to port 80 if it has to on some clients.
Use the conntrack log viewer to see some odd connections, some may be on port 80, but not actually web traffic, some may be on something like port 100, or something low, but still not common.
The conntrack log is under QoS->Classifier->Show Log. Once the pop-up windows display, clear any “Filter” currently present, my defaults to “OUT=”. And make sure the “Section” is set to “ConnTrack” or “ConnTrack.gz” if the contrack already got compressed to save space. Then go through the whole thing and try and find obscure connections and it’s associated port for dport, then drop that with a rule or QoS it.
Alternatively you can ssh into the ZS box and go to the shell prompt and enter “iptraf” and run a basic capture on the lan-side interface, to see live traffic, this may help in finding live connections easier. If you have a spare box use it to install NTOP and use a mirrored port if available or put on a hub-tap to see that traffic, ntop is great.
P2P is messy, and you really need some sort of live capture such as iptraf or ntop to see the entire network and apply QoS/Firewall rules appropiatly.
I hope NTOP makes it into the next release, or earlier as an external package, that’d be fantastic.