November 12th, 2002, 04:39 PM
I was wondering how I could block P2P programs such as Kazaa and Morpheus on a PIX 515r. I know that they connect initially on port 1214 and others use port 6346. Is blocking those ports enough? Also, what is the syntax of the statement to do this?
Thanks a lot.
November 12th, 2002, 05:26 PM
As far as I know if you don't have Kaaza or Morpheus you shouldn't have to worry about blocking them... If you do have them and don't want them to have any access then you should just take them off of the machine.. If you want to keep them I would sugest configuring your firewall to block their access...
\"Nuts!\"- Commanding General 101st Airborne Division Dec 1944 in answer to German request that he surrender Bastogne during the Battle of the Bulge
Life has a certian flavor for those who have fought and risked it all that the sheltered and protected can never experience.- John Stewart Mill
White, Hetrosexual, Christian male. I own guns, hunt, eat meat, burn wood, and my wife wears fur... Any questions?
November 12th, 2002, 05:45 PM
Maybe, the wording of my question is throwing you off a bit. I want to block internal users that have kazaa and other P2P programs on their computers from connecting to those programs. The point at which I have choosen to block them is at the firewall level (PIX 515r). I know these programs connect using port 1214 and others use 6346. Is just blocking those ports enough to stop the P2P traffic or are further steps required. Also, what is the syntax to add these lines in the FW.
Sorry for the confusion
November 12th, 2002, 06:16 PM
What FW are you using?
Best way to test this is to install these apps on your machine. Block those ports that they use, and then try to log on. If you can't log on, then you've got it. If you can, then take a look at the log files to see where and how these apps are getting through your FW. Block those points of entry, and then try to log on again.
You might want to take a look at blocking these apps' logon servers as it may prove a more feasible solution.
November 12th, 2002, 07:43 PM
I believe he said he was using PIX 515r wich is Cisco I believe
Violence breeds violence
we need a world court
not a republican with his hands covered in oil and military hardware lecturing us on world security!
November 12th, 2002, 09:21 PM
Some firewalls allow you to not let certain programs connect to the internet or even run. You should look for firewalls (namely ZoneAlarm, although I don't like it) that do that sort of thing. I hope I helped, and if I didn't than explain a little better.
November 12th, 2002, 09:33 PM
It is a Cisco 515r PIX FW that we are currently using. I added 6 lines:
access-list acl_in deny tcp any any eq 1214
access-list acl_in deny udp any any eq 1214
access-list acl_in deny tcp any any eq 6346
access-list acl_in deny udp any any eq 6346
access-list acl_in permit ip any any
access-group acl_in in interface inside
This worked blocking users access to Kazaa and Morpheus. However within another popular P2P program, "WINMX", you have the abilty to change the tcp & udp ports that the program is using to connect. I am currently looking into ways to block that one.
Sgt_B, you said, "If you can, then take a look at the log files to see where and how these apps are getting through your FW". It seems like you are talking about log files on the FW. Could you or someone else explain a little more about that. I have never viewed FW log file. Does it log all incoming and outgoing connections? How do I view it?
Thanks again guys
November 13th, 2002, 02:06 PM
I wish I could help there, but I've never used PIX so I can't tell you how really. Trust me though, find out how to view your log files. They are invaluable!
What you can do, especially with this winmx app, is install the offending program on your machine. Then connect to the service. Take a look at your firewall log to see what port the service went out on, and where is the first place it went. The first place is usually a logon server of some sort. I've found that the easiest way to block programs that can change their outbound port is to block all access to the logon server.
Ready for the next problem? Most services have multiple logon servers (Yahoo messenger has over 80) The trick is finding them. Ususally the app will try a logon server, and if it is blocked, it may try to go to the next one in its list. Keep an eye on the log files, and find out where its going.
First thing's first though. Find out how to view your log files. Do some digging on google, and if all else fails, start a new post here. I'm sure there's plenty of people who use PIX, and I'm sure they'd be glad to help as well.
November 13th, 2002, 09:45 PM
Maby you should connect to the ip of your router,
in some cases it will ask for a username and pass
just leave the user blank
and the pass should be admin
possibly there you could find your logs.
(this is just what i know to do using a linksys router)
November 13th, 2002, 09:49 PM
Lorenzo - Not having a username and password is a bad idea. Leaving the default username and password is even worse. You might want to correct this on your linksys