« 1999 BMW R1100 S For Sale | Daughter V.2.o successfully released »

Creating eMule P2P rules on the Juniper (NetScreen) SSG 5 series

I generally use two Linux distro based firewalls on my home network, but I recently tested a Juniper SSG 5 for an evening with eMule. This was as close to a certain P2P based streaming AV application we use @ work that I could get without dragging a bunch of hardware home.

Here's my setup notes:


Create new custom service objects:

  1. Go to Objects, Services, Custom (Note this was moved in NetScreen OS 6.x, now it's Policy, Policy Elements, Services, Custom)
  2. Create a new service, call it eMule-TCP-xxxx, where the x's are your desired port #, such as 7000.
  3. Choose TCP, set the low source port as 0 and high as 65535. Set the low and high destination port as 7000. Hit OK.
  4. Create a new service, call it eMule-UDP-xxxx, where the x's are your desired port #, such as 7001.
  5. Choose UDP, set the low source port as 0 and high as 65535. Set the low and high destination port as 7001. Hit OK.

Create a VIP entry:

  1. Go into Network, Interfaces, List and click the edit button for ethernet0/0.
  2. Click on the VIP tab.
  3. Add a new VIP entry, in my case the ethernet0/0 IP comes from my ISP by DHCP, so I chose "same as the interface IP address"
  4. Click on the New VIP Service button on the upper right. The virtual IP should be the one assigned to your ethernet0/0 interface. Virtual port is 7000. From Map to Service, choose the new custom emule-TCP-7000 service object.
  5. Map to IP should point at your internal LAN IP of your eMule instance.
  6. You might want to enable Server Auto Detection, but it's not required.
  7. Repeat steps 4-6 for your UDP (I.E. emule-UDP-7001). Hit OK.

Create Policies:Create a new policy from Untrust to Trust.

  1. Name emule-TCP-7000, Source Address is ANY.
  2. Destination Address is Address Book Entry VIP(ethernet0/0).
  3. Under Service choose (Multiple), then add your two custom emule services for TCP and UDP.
  4. No further changes are required, though you may choose to enable logging or counters. Hit OK.

I expect you could argue that a single new service object for both protocols would work, I originally tried this but despite my mucking around with policies I couldn't get the UDP through. I finally broke TCP and UDP apart and it works. I tested this by firing up eMule, running the firewall test (passed) and downloading a new Linux distro ISO image. A few hours later, after the ISO image downloaded successfully I deleted the ISO image file because I'd never install anything that came off a P2P network !

I had to take the Juniper back to the office, since it belongs to the company, so don't deluge me with SSG questions... this was just a quick bit of nerdy new toy fun.

Posted by John Seaman on March 26, 2008 10:25 PM |

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)