Block P2P

Printable View

November 12th, 2002, 05:39 PM
Gixxer

Block P2P

I was wondering how I could block P2P programs such as Kazaa and Morpheus on a PIX 515r. I know that they connect initially on port 1214 and others use port 6346. Is blocking those ports enough? Also, what is the syntax of the statement to do this?

Thanks a lot.
November 12th, 2002, 06:26 PM
4MidgetHitmen

As far as I know if you don't have Kaaza or Morpheus you shouldn't have to worry about blocking them... If you do have them and don't want them to have any access then you should just take them off of the machine.. If you want to keep them I would sugest configuring your firewall to block their access...
November 12th, 2002, 06:45 PM
Gixxer

Maybe, the wording of my question is throwing you off a bit. I want to block internal users that have kazaa and other P2P programs on their computers from connecting to those programs. The point at which I have choosen to block them is at the firewall level (PIX 515r). I know these programs connect using port 1214 and others use 6346. Is just blocking those ports enough to stop the P2P traffic or are further steps required. Also, what is the syntax to add these lines in the FW.

Sorry for the confusion
November 12th, 2002, 07:16 PM
Sgt_B

What FW are you using?

Best way to test this is to install these apps on your machine. Block those ports that they use, and then try to log on. If you can't log on, then you've got it. If you can, then take a look at the log files to see where and how these apps are getting through your FW. Block those points of entry, and then try to log on again.
You might want to take a look at blocking these apps' logon servers as it may prove a more feasible solution.
November 12th, 2002, 08:43 PM
Euclid

I believe he said he was using PIX 515r wich is Cisco I believe
November 12th, 2002, 10:21 PM
Spyder32

Some firewalls allow you to not let certain programs connect to the internet or even run. You should look for firewalls (namely ZoneAlarm, although I don't like it) that do that sort of thing. I hope I helped, and if I didn't than explain a little better.
November 12th, 2002, 10:33 PM
Gixxer

It is a Cisco 515r PIX FW that we are currently using. I added 6 lines:

access-list acl_in deny tcp any any eq 1214
access-list acl_in deny udp any any eq 1214
access-list acl_in deny tcp any any eq 6346
access-list acl_in deny udp any any eq 6346
access-list acl_in permit ip any any

access-group acl_in in interface inside

This worked blocking users access to Kazaa and Morpheus. However within another popular P2P program, "WINMX", you have the abilty to change the tcp & udp ports that the program is using to connect. I am currently looking into ways to block that one.

Sgt_B, you said, "If you can, then take a look at the log files to see where and how these apps are getting through your FW". It seems like you are talking about log files on the FW. Could you or someone else explain a little more about that. I have never viewed FW log file. Does it log all incoming and outgoing connections? How do I view it?

Thanks again guys
November 13th, 2002, 03:06 PM
Sgt_B

I wish I could help there, but I've never used PIX so I can't tell you how really. Trust me though, find out how to view your log files. They are invaluable!
What you can do, especially with this winmx app, is install the offending program on your machine. Then connect to the service. Take a look at your firewall log to see what port the service went out on, and where is the first place it went. The first place is usually a logon server of some sort. I've found that the easiest way to block programs that can change their outbound port is to block all access to the logon server.
Ready for the next problem? Most services have multiple logon servers (Yahoo messenger has over 80) The trick is finding them. Ususally the app will try a logon server, and if it is blocked, it may try to go to the next one in its list. Keep an eye on the log files, and find out where its going.
First thing's first though. Find out how to view your log files. Do some digging on google, and if all else fails, start a new post here. I'm sure there's plenty of people who use PIX, and I'm sure they'd be glad to help as well.

:D
November 13th, 2002, 10:45 PM
[BWPA]Lor3n[Z]o

Maby you should connect to the ip of your router,
in some cases it will ask for a username and pass
just leave the user blank
and the pass should be admin
possibly there you could find your logs.
(this is just what i know to do using a linksys router)
November 13th, 2002, 10:49 PM
Sgt_B

Lorenzo - Not having a username and password is a bad idea. Leaving the default username and password is even worse. You might want to correct this on your linksys
November 13th, 2002, 10:52 PM
blakdeth77

Lor3nzo I think this firewall he's using is more of a Business class one than a home user/broadband router... :D
November 13th, 2002, 11:00 PM
bluebeard96

The logs on linksys routers are defaulted to off.
November 13th, 2002, 11:33 PM
salgatt

As a thought you could block access outgoing to all high ports >1024. This will cause some problems with other applications but you can allow those on a case by case basis. We only allow certain ports. It doesn't make our Realplayer and AOL Instant Messenger junkies happy but the price you pay.
November 14th, 2002, 01:24 AM
Gixxer

Our router is high end Cisco 3640 but thanks anyway on the linksys info. (BTW Lor3nzo, leaving the default pw, not advised.) I will check into viewing the logs, thanks.

Now that we are on the subject of Linksys routers (not wireless). How is the security on those. Im thinking about getting one for home but want to know how secure you guys think it is. From what I can tell it just uses basic NAT.
November 14th, 2002, 01:41 AM
jlightfoot1

WinMX uses TCP port 6699 and UDP port 6257. It won't run if the're blocked.
November 14th, 2002, 02:19 AM
bluebeard96

Those might be the standard ports, but they are user configurable, making the system admin's job a little harder.
November 14th, 2002, 01:51 PM
Gixxer

Not only are the ports user configurable in WinMX but Kazaa looks like it uses random ports to download. I blocked port 1214, on both the outside and inside interface of the FW but users still could download files. When I do a "netstat -n" as I connect to download a file, I get different port numbers that that the prog is connecting to. This is getting me really PISSSED...... I need a break.
November 14th, 2002, 03:03 PM
Maverick811

I was reading this quickly and maybe I missed something, but what is wrong with just uninstalling the P2P apps on the machines? If you are the sys. admin, network manager, etc, you should have rights to do this - why let the users even have the programs if you are going to block the access. Go to the source of the problem and uninstall the apps. If they install them right back, refer to your security policy for the company you work for to take the proper actions.