02-19-2010 12:38 PM - edited 03-11-2019 10:12 AM
I have configured a router with ZFW and from my testing I can confirm that almost everything is working the way it should except the P2P blocking. It doesn't seem to block anything in the P2P arena and I've tried Gnutella, Kazaa, and Bittorent and all of them are able to make a connection, search and download. I even have DPI enabled to make sure it can't use http but it still manages to get out.
Once in a while the router does log a message (below) but it's not consistent.
*Feb 19 20:26:15.689: %APPFW-6-P2P_PORT_HOP: gnutella using 9699 port - tcp session 10.32.2.30:3976 70.121.190.197:9699 on zone-pair in-out class CM_INSPECT
Feb 19 20:26:48.641: %FW-6-LOG_SUMMARY: 1 packet were dropped from 10.32.2.30:3985 => 24.141.184.178:36486 (target:class)-(in-out:CM_P2P)
class-map type inspect match-any CM_INSPECT
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol tcp
match protocol udp
class-map type inspect match-all CM_HTTP
match protocol http
class-map type inspect http match-any CM_PORTMISUSE
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-any CM_P2P
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
match protocol gnutella
policy-map type inspect http PM_HTTPDPI
class type inspect http CM_PORTMISUSE
log
reset
policy-map type inspect PM_INSPECT
class type inspect CM_P2P
drop log
class type inspect CM_HTTP
inspect
service-policy http PM_HTTPDPI
class type inspect CM_INSPECT
inspect
class class-default
drop
zone security outside
zone security inside
zone-pair security in-out source inside destination outside
service-policy type inspect PM_INSPECT
interface BVI1
ip address 10.32.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security inside
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security outside
speed 100
full-duplex
Any help is appreciated!!
02-19-2010 02:18 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide