Recently, Comcast has stopped the seeding of torrents.

The following fix has been test on Linux and I am trying to figure out the equivalent for CISCO boxes.

Basically, what they're doing is telling your computer it needs to close it's TCP connection at a certain port (in this case, your torrent clients' port) via the RST TCP reset command.

In Linux, it's a simple fix. Every modern Linux distribution has iptables, so all you have to do is set it up to block this RST command. This should also work in BSD systems, Mac OS X, or any system with iptables.

All you have to do is run the following command, with superuser privileges (change the word $port to whatever port your torrent client uses).

Run in your shell/terminal: iptables -A INPUT -p tcp --dport $port --tcp-flags RST RST -j DROP

OK after all that here is the million dollar question.... I there an equivalent way to block these on a CISCO router (ok I know there is but what is it).....
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sorry the cisco access-lists dont have the required functionality to block traffic depending on particular tcp flags.

Cant you use encryption to bypass it?
jsoutterAuthor Commented:
Can you elobarate on the Encryption.

Encrypt the traffic between what 2 nodes?
Yes I know the utorrent client supports encryption. You can have it set to disabled, use if available, or always on. If you set it to always on then you will only connect to clients which support it. It does mean you will have fewer clients to connect to but hopefully comcast wont be able to tell it is p2p traffic.
jsoutterAuthor Commented:
OK utorrent encryption does not fix the issue.


access-list XXX deny tcp any any rst


This isn't just for Comcast users. It appears that sandvine sends RSTs to both the seeder and the leecher. Therefore, if you want to download from anyone who is on comcast, you have to do this fix, or something similar, as well.


I know there are a lot of us using comcast, and the tutorial here leaves out some important stuff... but not to fear, here's a complete guide to setting up WIPFW on Windows 2000 and XP. If you're having any problems, post 'em here and I'll have a solution for you in no time.

You MUST do this at a local console, as it will block all VNC/Remote Desktop connections by default.

This has only been tested on Windows 2000 & XP, with Vista YMMV.

Step 1:

Download WIPFW from sourceforge

Step 2:

Unzip to C:\Program Files\WIPFW

Step 3:

If you want a "default deny", double click "install-deny.cmd". Network activity WILL be cut off at this point.

If you want a "default allow", double click "install.cmd".

A default deny means that ALL data will be BLOCKED by default. If you are behind a router (or any other firewall) that has a firewall already built in, use default allow (Because your router is blocking the bad stuff anyway).

Step 4 (Windows XP only):

Start -> Control Panel -> Security Center -> Windows Firewall

Turn Windows Firewall OFF and click OK

Then, in the security center, click "Recommendations..." under the (now red) firewall header.

Check "I have a firewall solution that I'll monitor myself" and click OK

Step 5:

Save the following text in the file %systemroot%\System32\drivers\etc\protocol (%systemroot% is the windows directory). NOTE: This text may already be there. If so, just ignore this step.

protocol wrote:
# Copyright (c) 1993-1999 Microsoft Corp.
# This file contains the Internet protocols as defined by RFC 1700
# (Assigned Numbers).
# Format:
# [aliases...] [#]

ip 0 IP # Internet protocol
icmp 1 ICMP # Internet control message protocol
ggp 3 GGP # Gateway-gateway protocol
tcp 6 TCP # Transmission control protocol
egp 8 EGP # Exterior gateway protocol
pup 12 PUP # PARC universal packet protocol
udp 17 UDP # User datagram protocol
hmp 20 HMP # Host monitoring protocol
xns-idp 22 XNS-IDP # Xerox NS IDP
rdp 27 RDP # "reliable datagram" protocol
rvd 66 RVD # MIT remote virtual disk

Step 6:

Open C:\Program Files\WIPFW\wipfw.conf in notepad and replace the contents with the following:
NOTE: Make sure you replace "*****" with the port that your bittorrent client uses!

If you are using the Default Deny:

# wipfw.conf
# Replace ***** with your bittorrent port

# First flush the firewall rules
-f flush

# Localhost rules
add 100 allow all from any to any via lo*

# Prevent any traffic to, common in localhost spoofing
add 110 deny log all from any to in
add 120 deny log all from to any in

# Drop incoming packets with RST flag on BitTorrent port
# This is what thwarts Sandvine.
add deny tcp from any to me ***** tcpflags rst

# Setup stateful filtering
add check-state
add pass all from me to any out keep-state
add count log ip from any to any

# Allow new incoming BitTorrent connections
add pass tcp from any to any *****
add pass udp from any to any *****

If you are using the Default Allow:

# wipfw.conf
# Replace ***** with your bittorrent port

# First flush the firewall rules
-f flush

# Drop incoming packets with RST flag on BitTorrent port
# This is what thwarts Sandvine.
add deny tcp from any to me ***** tcpflags rst

Step 7:

If you are using a default deny, you will have to change the config to allow other network data through your network with any of the following rules (just add these rules to the end of wipfw.conf)

File & Print Sharing wrote:
#Replace with your local subnet and mask

# Allow Microsoft SMB file sharing w/ NetBIOS
add pass tcp from to me 135-139
add pass udp from to me 135-139

# Allow direct-hosted SMB w/out NetBIOS
add pass tcp from to me 445
add pass udp from to me 445

VNC wrote:
# Enable VNC
add pass tcp from any to me 5800-5801
add pass tcp from any to me 5900-5901

Remote Desktop wrote:
# Allow RDP/Terminal Services connections
add pass tcp from any to me 3389

SSH server wrote:
# Allow incoming SSH
add pass tcp from any to me 22

DNS server wrote:
# Allow incoming DNS
add pass udp from any to me 53

Web server wrote:
# Allow incoming WWW
add pass tcp from any to me 80

FTP server wrote:
# Allow incoming FTP
add pass tcp from any to me 21

More ports for other network services can be found here.

Save wipfw.conf when you're done.

Step 8:

Start -> Run

Type CMD.exe and press enter.

run the following two commands

>net stop ipfw

>net start ipfw

All done!

No objection to paq/refund

> access-list XXX deny tcp any any rst
Thanks for that. Its usefull to know. Normally you port the port number in that place in the access-list. I didnt know you could put rst there instead and the cisco documentation on the command at doesnt mention it either.

For the benefit of future readers it may be that you need a fairly new version of the Cisco IOS firmware for this option to be supported.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.