11-08-2004 07:24 AM - edited 03-02-2019 07:48 PM
Hi all,
I have a cisco router 836 and i have been trying to block some of the ports that P2P use. for instance limewire uses port 6349 for listening and 6346 for file sharing.
unfortunately this router only has the basic firewall (ACL not NBAR).
could some one please point me in the right direction for blocing this port. i have tried and the file sharing still happens :(
thanks in advance for your assistance
11-08-2004 07:36 AM
This link might list you most of the port numbers used by p2p apps.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00801e419a.shtml
Some of the programs like Kazaa2 cannot be blocked unless you use NBAR.
What does your ACL look like and also how is it applied on your interface (outside/inside interface, inbound or outbound?)
11-08-2004 09:15 AM
11-10-2004 08:58 PM
Not sure if this is practical for your situation, but you could explicitly define what ports are allowed, then deny everything else. This is what our company did on some 800 series routers.
Example: You only want to allow outgoing traffic to ports 80 (HTTP), 443 (HTTPS), 25 (SMTP), then:
! acl 130: outbound on Dialer0 (EGRESS FILTERING):
access-list 130 permit tcp any any eq 80
access-list 130 permit tcp any any eq 443
access-list 130 permit tcp any any eq 25
access-list 130 deny tcp any any log
! the log above is optional, but helps when troubleshooting
!
interface Dialer0
ip access-group 130 out
You will probably want to allow other things, such as ICMP. Here is something to serve as a starting point....
!! acl 130: outbound on Dialer0 (EGRESS FILTERING):
access-list 130
!!!
!!! Deny traffic going to RFC1918 networks
access-list 130 deny ip any 10.0.0.0 0.255.255.255 log-input
access-list 130 deny ip any 172.16.0.0 0.15.255.255 log-input
access-list 130 deny ip any 192.168.0.0 0.0.255.255 log-input
!!!
!!! Allow only specific ICMP:
!!! allow to our network and the IP address of the external
!!! interfaces on this router.
!!!
!!! http://www.isi.edu/in-notes/iana/assignments/icmp-parameters
!!! http://www.worldgate.com/~marcs/mtu/
!!!
!!! (3 0) net-unreachable
access-list 130 permit icmp any any 3 0
!!! (3 1) host-unreachable
access-list 130 permit icmp any any 3 1
!!! (3 2) protocol-unreachable
access-list 130 permit icmp any any 3 2
!!! (3 3) port-unreachable
access-list 130 permit icmp any any 3 3
!!! (3 4) packet-too-big
access-list 130 permit icmp any any 3 4
!!! (3 13) administratively-prohibited
access-list 130 permit icmp any any 3 13
!!! (4 ) source-quench
access-list 130 permit icmp any any 4
!!! (11 0) ttl-exceeded
access-list 130 permit icmp any any 11 0
!!! (8 0) echo
access-list 130 permit icmp any any 8 0
!!! (0 0) echo-reply
access-list 130 permit icmp any any echo-reply
!!!
!!! Allow REALAUDIO
access-list 130 permit tcp any any eq 7070
access-list 130 permit tcp any any eq 554
!!!
!!!
!!! Allow CUSEEME
access-list 130 permit tcp any any eq 7648
access-list 130 permit udp any any eq 7648
access-list 130 permit tcp any any eq 24032
access-list 130 permit udp any any eq 24032
!!!
!!!
!!! Allow WWW (80) / HTTPS(443)
access-list 130 permit tcp any any eq www
access-list 130 permit tcp any any eq 443
!!!
!!!
!!! Allow SMTP(25)
access-list 130 permit tcp any any eq 25
!!!
!!!
!!! Allow IPSec traffic. IPSec uses
!!! IP protocols 50 and 51 and UDP port 500.
access-list 130 permit 50 any any
access-list 130 permit 51 any any
access-list 130 permit udp any any eq 500
!!!
!!!
!!! Allow PPTP traffic.
access-list 130 permit tcp any any eq 1723
access-list 130 permit gre any any
!!!
!!!
!!! Allow FTP traffic
access-list 130 permit tcp any any eq ftp-data
access-list 130 permit tcp any any eq ftp
!!!
!!!
!!! Deny and log everything that does not match above rules.
!!! We include the entire port ranges for tcp and udp explicitly
!!! to ensure values for source and destination ports are logged.
access-list 130 deny tcp any range 0 65535 any range 0 65535 log-input
access-list 130 deny udp any range 0 65535 any range 0 65535 log-input
access-list 130 deny ip any any log-input
11-10-2004 09:08 PM
Forgot, if you were afraid that the Kazaa or other programs might use port 80, you may be able to use N2H2 or Websense to filter what URLs are allowed.
http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/products_feature_guide09186a008014654a.html
Also, release 7.0 of the PIX supports blocking of P2P apps natively, but you may not have deep pockets.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide