# block uploading in qBittorrent



## SIFE (Jun 6, 2010)

i am trying to block uploading in qBittorrent with pf but it 's fail .
pf.conf :

```
#***********************************************************************************************#
#                                                                                               #
#                                           Macros                                              #
#                                                                                               #
#***********************************************************************************************#

# network card
ext_if="sis0"
net_card="sis0"

# tcp port services
tcp_ports="{22, 80 ,https ,domain ,auth ,21 ,3306}"

# udp port services
udp_ports="{domain ,23399}"

# ICMP types
icmp_types="echoreq"

# ip's
local_ip="{192.168.0.0/16, 127.0.0.1}"
#***********************************************************************************************#
#                                                                                               #
#                                           Tables                                              #
#                                                                                               #
#***********************************************************************************************#

#table <banned> persist file "/etc/pf/banned"

#***********************************************************************************************#
#                                                                                               #
#                                           Options                                             #
#                                                                                               #
#***********************************************************************************************#

#set ruleset-optimization basic
#set optimization normal
set block-policy drop
set skip on lo0
#scrub in on $net_card all fragment reassemble
#scrub on $net_card all reassemble tcp

#***********************************************************************************************#
#												#
#					    Rules						#
#												#
#***********************************************************************************************#

# block any thing in or out
block drop in log(all) on $net_card all
block drop out log(all) on $net_card all

block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF
block out log quick proto udp from any to any port 6881  

# passing traffic to sis from trusted ports
#pass in on $net_card from $local_ip to any keep state
pass in on $net_card proto tcp from any port $tcp_ports to any keep state
pass in on $net_card proto {tcp, udp} from $local_ip to $local_ip keep state
pass in on $net_card proto igmp all allow-opts

# pass out traffic to trusted ports
pass out on $net_card proto tcp from any to any port $tcp_ports
pass out on $net_card proto udp from any to any port $udp_ports
pass out on $net_card proto igmp all allow-opts
 
# pass ICMP 'echoreq' traffic 
pass out on $net_card inet proto icmp all icmp-type $icmp_types keep state

# passing ftp packet
pass out on $net_card inet proto tcp from any to any port ftp
pass out on $net_card inet proto tcp from any to any port > 1023
```
tcpdump output :

```
[root@localhost /]# tcpdump -n -e -ttt -i pflog0 -vv port 6881 
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
00:00:00.000000 rule 8/0(match): block out on sis0: (tos 0x0, ttl 64, id 13266, offset 0, flags [none], proto UDP (17), length 132)
    192.168.1.2.6881 > x.x.x.x.6881: UDP, length 104
00:00:01.398401 rule 1/0(match): block out on sis0: (tos 0x0, ttl 64, id 13307, offset 0, flags [none], proto UDP (17), length 93)
    192.168.1.2.6881 > x.x.x.x.12956: UDP, length 65
00:00:00.016009 rule 1/0(match): block out on sis0: (tos 0x0, ttl 64, id 13308, offset 0, flags [none], proto UDP (17), length 93)
    192.168.1.2.6881 > x.x.x.x.25585: UDP, length 65
00:00:01.012143 rule 1/0(match): block out on sis0: (tos 0x0, ttl 64, id 13334, offset 0, flags [none], proto UDP (17), length 93)
    192.168.1.2.6881 > x.x.x.x.42694: UDP, length 65
00:00:06.382915 rule 1/0(match): block out on sis0: (tos 0x0, ttl 64, id 13589, offset 0, flags [none], proto UDP (17), length 93)
    192.168.1.2.6881 > x.x.x.x.16696: UDP, length 65
00:05:14.094309 rule 8/0(match): block out on sis0: (tos 0x0, ttl 64, id 18586, offset 0, flags [none], proto UDP (17), length 129)
    192.168.1.2.6881 > x.x.x.x.6881: UDP, length 101
```


----------



## DutchDaemon (Jun 7, 2010)

Why are you trying to prevent 50% of the functionality of the bittorrent protocol? Just leeching, no sharing?


----------



## SIFE (Jun 7, 2010)

,just making some tests .


----------



## SIFE (Jun 10, 2010)

as i know Bitorrent protocol using this range 6881-6999 ,so i drop all packets go out from my net card but no success :

```
block drop out log quick proto udp from any to any port 6881:6999
```


----------



## DutchDaemon (Jun 10, 2010)

That rule drops traffic originating from your machine. Hint, pf is a stateful packet filter.


```
The state entry created permits pf(4) to keep track of the original
     address for traffic associated with that state and correctly direct
     [I]return traffic[/I] for that connection.
```


----------



## SIFE (Jun 11, 2010)

do you have a quick solution Mr DutchDaemon ,i found some thing but it is not related to *BSD .
Filtering P2P network traffic with ipp2p
Application Layer Packet Classifier for Linux


----------



## DutchDaemon (Jun 11, 2010)

Don't keep state on your 'pass in' rules ('no state') and write specific 'pass out' rules to handle allowed outbound traffic. This is *very* inefficient (state tables are efficient, because only the initial connection needs to be fully evaluated), but it's the only way to control 'pass inbound / block outbound' situations on a single connection (vice versa). That's about as precise as I want to be.


----------

