11-06-2001 04:08 PM - edited 03-01-2019 07:15 PM
Which ports shold I block. Actually I don't want to block access, I just what to cut it back to about 2K so the users will give up rather than change the port. I need port numbers and int config to accomplish.
11-15-2001 07:11 AM
Ive never seen those port numbers published anywhere. Youll probably have to log test it in a lab.
11-17-2001 03:42 AM
You can do one thing. Install Morpheus and Napster on your system and run it. Then go to command prompt and type in netstat and you will get the tcp connections with the port number that is being used.Then you can do the blocking of those ports. You can try this. I hope this will work.
11-18-2001 04:45 AM
Hello,
If your aim is to restrict bandwidth to ceratin network of yours. you can do this.
1. Creater an extended access-list to permit this particular network.
2. now give this command in the interface of the router where this network is connected.
rate-limit output access-group
and this also
rate-limit input access-group
Thsi would limit the bandwidth of those ips to 50k upload and 50k download. try this out. This is what i have implemented and found working fine.
Regards,
Ramesh
11-18-2001 08:40 PM
Be careful with this.
Napster, eg., always uses different ports, when you block off one port, it simply goes to another one so that won't work.
Other problem is that you can't block the Napster URL, it just prevents downloading the Napster software but you can get the software from a lot of places around the world.
Q. So how can you stop this?
A. Only partially with NBAR or rate limiting
Napster uses TCP port 6699 as default. Putting a filter in that blocks this port brings Napster traffic to a screeching halt(for those using 6699). Blocking www.napster.com (url filter)adds an extra measure of security, as all clients must contact the site before they can begin exchanging music files.
But forbidding the use of Napster and blocking access to the site isn't the best approach. Crafty programmers have already come up with a way around the port blocking -- Napster already allows users to choose their own port -- and mirrored servers with new names would get around the site block.
If you sniff your link you can determine the addresses of the napster servers and rate limit accordingly (pain in the a!@).
Try NBAR. Use the "software search tool" on CCO and download the necessary .pdlm file as listed in the config below.
nsure that ip cef is enabled.
!
ip cef
ip nbar pdlm slot0:napster.pdlm
!
!
class-map match-all napster_nonstd
match protocol napster non-std
class-map match-all napster
match protocol napster
!
!
policy-map napout
class napster_nonstd
police 10000 2500 2500 conform-action drop exceed-action drop
class napster
police 1000000 250000 250000 conform-action transmit exceed-action drop
policy-map napin
class napster_nonstd
police 10000 2500 2500 conform-action drop exceed-action drop
class napster
police 3000000 250000 250000 conform-action transmit exceed-action drop
------
implementation eg.
!
interface FastEthernet0/0
description ***Residence Halls***
ip address xxx.xxx.xxx.xxx 255.255.xxx.xxx
no ip mroute-cache
duplex full
service-policy input napin
service-policy output napout
!
interface FastEthernet0/1
description ***Admin***
ip address xxx.xxx.xxx.xxx 255.255.xxx.xxx
ip nbar protocol-discovery
duplex full
no ip mroute-cache
!
interface ATM1/0
description *** PVC to Sunnyville CSU router
no ip address
no atm ilmi-keepalive
!
interface ATM1/0.1 point-to-point
bandwidth 30000
ip address xxx.xxx.xxx.xxx 255.255.xxx.xxx
ip nbar protocol-discovery
ip policy route-map papapix
atm pvc 5 0 385 aal5snap 30000 30000
Good Luck !!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide