November 13, 2009 at 6:50 pm #42037
There is any way that I can restrict bittorrent traffic in QOS. I put bittorrent in p2p with low priority and given only 25 kbps maximum bandwidth. but it is downloading in a speed of more than 100 kbps. Is that any way i could block or restrict bittorrent.
Thanks in advance.November 13, 2009 at 9:40 pm #49094
There’s another way to restrict p2p traffic: create QoS classes with high priority and enough bandwidth for known services, such as DNS, HTTP, ICMP, SMTP e.t.c. In classifier assign them to corresponding protocols and ports. All remaining traffic, inlcuding bittorrent will have low priority and bandwidth.November 16, 2009 at 3:01 pm #49095
Does anybody have more idea?November 16, 2009 at 5:20 pm #49096
Use ntop either on a seperate box or find a way to install on zeroshell, or the built in and awesome iptraf, find the ip’s in question and their ports, then apply some classes and classifiers with the ips and ports and give a DSCP of BE 0, lowest possible, for QoS. or, use the firewall section to DROP or whatever instead.
But then there’d be all of these customer classifiers building up and it gets messy.
Or I found best, kind of like yum said, apply the default class of BE 0, and a very low pipe class, and make classes for HTTP, FTP, AIM, etc… Then anything not classified will be lowest priority with DSCP of lowest. I’ve also found putting unclassified ports from IANA of 1025:65535 to lowest priority helps tremendously. Most common apps use lower ports and are registered through IANA, unclassified ones are for third-party apps, i.e, BT, when choosing the random port button, or random port on startup, it is always over 1024.
Now that all uncommon ports are lowest prio, now you can start to make your exceptions, keeps things more organized and managable. It’d be nice to have a “Custom” description field on the classifier when adding one, to distinguish it from the others on the classifier list instead of just the auto-generated one, both would be nice to have. So it can read…
“1024 BE speed after 5Meg transfer”
“MARK all opt — in * out * 0.0.0.0/0 -> 172.16.1.0/24 PHYSDEV match –physdev-is-bridged connbytes 5242880:4294967295 connbytes mode bytes connbytes direction both DSCP match 0x00 MARK set 0xb”
or something… to keep things more human readable and easier to glance at and apply rules.November 18, 2009 at 10:36 am #49097
Anybody advise me to how to put port in QOS.
ThanksNovember 18, 2009 at 1:19 pm #49098
Under the classifier you are making, choose under the “Protocol Matching” section, the protocol of choice, TCP/UDP/etc…, then specify source/destination and fin/ack/syn, if needed, or alternatively use the “Not” tick mark if needed.November 19, 2009 at 3:27 pm #49099
Thanks for your reply on my last post
i did that you mention like in last post. But still having the issue with P2P download. I think i am doing something wrong. This is first time i am using Linux, so please advise me as like a student.
MARK tcp opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp spts:1025:65535 dpts:1025:65535 MARK set 0xe
this is what i entered in the QOS with low priority and a maximum bandwidth of 50kbps, but P2P still downloading in full speed.
Please let me know what i am doing wrong. And if you can clarify me it in simple way that will be highly appreciate.
Thanks again.November 19, 2009 at 3:47 pm #49100
Dport is sufficient, at least in my case, that will deny the appropriate port. the sport is not needed really, but can be, but I’ve seen adverse effects when web browsing and basic stuff. If p2p is still in use, then it is probably using a lower port than those specified. P2P port hops, and can go to port 80 if it has to on some clients.
Use the conntrack log viewer to see some odd connections, some may be on port 80, but not actually web traffic, some may be on something like port 100, or something low, but still not common.
The conntrack log is under QoS->Classifier->Show Log. Once the pop-up windows display, clear any “Filter” currently present, my defaults to “OUT=”. And make sure the “Section” is set to “ConnTrack” or “ConnTrack.gz” if the contrack already got compressed to save space. Then go through the whole thing and try and find obscure connections and it’s associated port for dport, then drop that with a rule or QoS it.
Alternatively you can ssh into the ZS box and go to the shell prompt and enter “iptraf” and run a basic capture on the lan-side interface, to see live traffic, this may help in finding live connections easier. If you have a spare box use it to install NTOP and use a mirrored port if available or put on a hub-tap to see that traffic, ntop is great.
P2P is messy, and you really need some sort of live capture such as iptraf or ntop to see the entire network and apply QoS/Firewall rules appropiatly.
I hope NTOP makes it into the next release, or earlier as an external package, that’d be fantastic.November 19, 2009 at 3:57 pm #49101
You can also make set classifiers such as web/http usnig L7 and give it a class and prio, and so on for ftp/aim/etc… Then go to the class manager and make the default class lowest prio for BE 0, and set the class to something very low. Then anything that is classified gets the class/prio, then p2p and anything else unclassified can port hop all day long, and will get low prio and its default speed. A fallback pipe in a sense.November 19, 2009 at 6:55 pm #49102
I check the log through conn track and see this
[NEW] tcp 6 120 SYN_SENT src=10.20.20.112 dst=10.20.20.75 sport=64037 dport=443 [UNREPLIED] src=10.20.20.75 dst=10.20.20.112 sport=443 dport=64037
In my knowledge it is passing through the port that i given low priority and also i saw lot of other ports that is higher than 1025 passing the P2P traffic. Agian i don’t know exactly what i should do to block or restrict the P2P.
ThanksNovember 19, 2009 at 7:17 pm #49103
Looks like 10.20.20.112 is trying to log into 10.20.20.75 on port 443. Since these are private ips, they must be on your own network, and p2p wouldn’t really have an effect on internet performance. I am pretty sure this conntrack log excerpt stated can be dismissed, but then again i don’t know your network and what those ips are, but they are local anyways. If you want to drop something, you need to go to the firewall section and apply a rule just like you would in the QoS classifier section. But here, use a drop rule or a “reject with…”. I use drop. You really can’t block p2p. It will always port hop, so you want to use L7 filters, but the open source filter ones can’t see all p2p, like ZS and many other firewalls. It can see most but not all, especially NOT encrypted traffic. So, traffic shaping/limiting is done through port rules and qos on them.
You need to use iptraf, ntop, and/or the conntrack log viewer to see live traffic and apply the rules accordingly. Use the L7 filter, and apply individual rules in the firewall section to drop all of the p2p listed L7 filters, there’s no way to do a group of filters, so you need a seperate rule for each p2p filter, and drop it.
Make a rule for known protocols i.e, http,etc. and give it a /prio/speed, then make the default class the lowest prio/speed, but not to slow, or you’ll find some things may not work correctly. Everything else is live and rules need to be applied live. That’s the horrible, uh hmm… i mean fun, part of maintaining qos on a network.
You must be logged in to reply to this topic.