02-04-2003 05:51 AM - edited 02-20-2020 09:20 PM
Good morning
I have a customer who has an edge router 3640 style. This is an educational facility, the network admin really does not mind students pulling music down, he simply does not want extraneous hosts pulling music outbound off of student boxes from his network.
I want to build access-lists on this 3640 to prevent the outbound connections for these music services...
The inside network numbers are 192.240.88.0 for example....
pls help...
Solved! Go to Solution.
02-10-2003 02:26 PM
It relly depends on your music file sharing protocol. For example, to configure an access list to block KazaA, the access list statement would be something like
access-list out deny tcp host x.x.x.x any eq 1214
access-list out permit ip any any
Here is more information you might help you. Some of this information is old and it might not be be applicable. It would thus be a good idea to cross check the same.
App: Kazaa and Morpheus
Block clients connecting to each other and the application is broken.
-Deny TCP and UDP 1214
App: WinMX
This package is Napster-like and requires a central site to enable file sharing. Blocking this site by it's IP prevents it's use.
App: AudioGalaxy Satellite
This package uses higher ports to search AudioGalaxy Satellite servers and FTP (TCP 21 and TCP 20) to perform the actual file transfers. Also blocking the AudioGalaxy netblock should help. Completely denying FTP will prevent this service as well.
-Deny TCP and UDP TCP 41000-42000
App: Napigator
Napster like tool, requires central site to function. Blocking the central site blocks Napigator.
App: Freenet
The only effective way to catch this type of traffic is watching the header traffic for telltales. Many packetfilters allow searching the first packet of a stream for string matches. Generally speaking, the implementation of this kind of filter is outside of the scope of a simple HOW-TO doc. The protocol is built from the groundup to not rely on any specific port. For more information refer to
App: Napster
Block access to the Napster central netblocks (these could change periodically) this prevent Napster use:
-Deny traffic to destination and any traffic from source.
Block access to peer file shares, only filter default ports. This could break some internet usage (very doubtful) but would prevent Napster usage if the above netblock were to change to another set of addresses.
-Deny traffic to destination: 0.0.0.0/0 TCP 6699
-Deny traffic from source: 0.0.0.0/0 TCP 6699
-Deny traffic to destination: 0.0.0.0/0 UDP 6699
-Deny traffic from source: 0.0.0.0/0 UDP 6699
App: Aimster
Blocking Aimster requires blocking AOL Instant Messenger (AIM). AIM is getting harder to block without the use of a filter or proxy that looks at TCP 80 (Web) traffic and verifies that in fact only HTTP traffic is passing on this port. Using the following filters make AIM (and Aimster) much harder to use.
Block client ICQ/AIM traffic
-Deny traffic to destination: 0.0.0.0/0 TCP 5190
-Deny traffic from source: 0.0.0.0/0 TCP 5190
-Deny traffic to destination: 0.0.0.0/0 UDP 5190
-Deny traffic from source: 0.0.0.0/0 UDP 5190
Since AIM can also use TCP 13, 23, 80, 113, and others, it might be best to blocklist AOL sites altogether or only allow DNS lookups. This solution pretty much break AOL access from within so use carefully. The best solution is outlined above, filter TCP 5190 and UDP 5190 as well as use filters or proxies that don't allow non-HTTP traffic to use TCP 80.
App: iMesh
Blocking access to the iMesh central server breaks iMesh.
App: eDonkey
Block clients connecting to the server
-Deny traffic to destination: 0.0.0.0/0 TCP 4661
-Deny traffic from source: 0.0.0.0/0 TCP 4661
-Deny traffic to destination: 0.0.0.0/0 UDP 4665
-Deny traffic from source: 0.0.0.0/0 UDP 4665
Block clients connecting to each other
-Deny traffic to destination: 0.0.0.0/0 TCP 4662
-Deny traffic from source: 0.0.0.0/0 TCP 4662
App: Gnutella (also BearShare, ToadNode, Limewire, Gnucleus, and others)
When left at the default settings, Gnutella can be blocked as follows.
Block clients connecting to each other
-Deny traffic to destination: 0.0.0.0/0 TCP 6345-6349
-Deny traffic from source: 0.0.0.0/0 TCP 6345-6349
-Deny traffic to destination: 0.0.0.0/0 UDP 6345-6349
-Deny traffic from source: 0.0.0.0/0 UDP 6345-6349
02-10-2003 02:26 PM
It relly depends on your music file sharing protocol. For example, to configure an access list to block KazaA, the access list statement would be something like
access-list out deny tcp host x.x.x.x any eq 1214
access-list out permit ip any any
Here is more information you might help you. Some of this information is old and it might not be be applicable. It would thus be a good idea to cross check the same.
App: Kazaa and Morpheus
Block clients connecting to each other and the application is broken.
-Deny TCP and UDP 1214
App: WinMX
This package is Napster-like and requires a central site to enable file sharing. Blocking this site by it's IP prevents it's use.
App: AudioGalaxy Satellite
This package uses higher ports to search AudioGalaxy Satellite servers and FTP (TCP 21 and TCP 20) to perform the actual file transfers. Also blocking the AudioGalaxy netblock should help. Completely denying FTP will prevent this service as well.
-Deny TCP and UDP TCP 41000-42000
App: Napigator
Napster like tool, requires central site to function. Blocking the central site blocks Napigator.
App: Freenet
The only effective way to catch this type of traffic is watching the header traffic for telltales. Many packetfilters allow searching the first packet of a stream for string matches. Generally speaking, the implementation of this kind of filter is outside of the scope of a simple HOW-TO doc. The protocol is built from the groundup to not rely on any specific port. For more information refer to
App: Napster
Block access to the Napster central netblocks (these could change periodically) this prevent Napster use:
-Deny traffic to destination and any traffic from source.
Block access to peer file shares, only filter default ports. This could break some internet usage (very doubtful) but would prevent Napster usage if the above netblock were to change to another set of addresses.
-Deny traffic to destination: 0.0.0.0/0 TCP 6699
-Deny traffic from source: 0.0.0.0/0 TCP 6699
-Deny traffic to destination: 0.0.0.0/0 UDP 6699
-Deny traffic from source: 0.0.0.0/0 UDP 6699
App: Aimster
Blocking Aimster requires blocking AOL Instant Messenger (AIM). AIM is getting harder to block without the use of a filter or proxy that looks at TCP 80 (Web) traffic and verifies that in fact only HTTP traffic is passing on this port. Using the following filters make AIM (and Aimster) much harder to use.
Block client ICQ/AIM traffic
-Deny traffic to destination: 0.0.0.0/0 TCP 5190
-Deny traffic from source: 0.0.0.0/0 TCP 5190
-Deny traffic to destination: 0.0.0.0/0 UDP 5190
-Deny traffic from source: 0.0.0.0/0 UDP 5190
Since AIM can also use TCP 13, 23, 80, 113, and others, it might be best to blocklist AOL sites altogether or only allow DNS lookups. This solution pretty much break AOL access from within so use carefully. The best solution is outlined above, filter TCP 5190 and UDP 5190 as well as use filters or proxies that don't allow non-HTTP traffic to use TCP 80.
App: iMesh
Blocking access to the iMesh central server breaks iMesh.
App: eDonkey
Block clients connecting to the server
-Deny traffic to destination: 0.0.0.0/0 TCP 4661
-Deny traffic from source: 0.0.0.0/0 TCP 4661
-Deny traffic to destination: 0.0.0.0/0 UDP 4665
-Deny traffic from source: 0.0.0.0/0 UDP 4665
Block clients connecting to each other
-Deny traffic to destination: 0.0.0.0/0 TCP 4662
-Deny traffic from source: 0.0.0.0/0 TCP 4662
App: Gnutella (also BearShare, ToadNode, Limewire, Gnucleus, and others)
When left at the default settings, Gnutella can be blocked as follows.
Block clients connecting to each other
-Deny traffic to destination: 0.0.0.0/0 TCP 6345-6349
-Deny traffic from source: 0.0.0.0/0 TCP 6345-6349
-Deny traffic to destination: 0.0.0.0/0 UDP 6345-6349
-Deny traffic from source: 0.0.0.0/0 UDP 6345-6349
02-10-2003 03:55 PM
Beth
Thanks so much for taking the time to document all this! I cant believe you went to such lengths and am extremely grateful for your help!
I will be attempting these configs soon...
02-25-2003 05:40 PM
You can use NBAR to identify the traffic and then drop it. This example below uses the PDLMs of NBAR to identify the traffic coming in interface serial 0, then sets the DSCP to be 3, and the access-list on ethernet 0 drops the traffic.
class-map match-any TEMP
match protocol kazaa2
match protocol napster
match protocol gnutella
match protocol fasttrack
Then mark the traffic:
policy-map Test
class-map TEMP
set qos dscp 3
interface serial 0
service-policy in TEST
interface ethernet 0
ip access-group 100 out
access-list 100 deny ip any any dscp 3
access-list 100 permit ip any any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide