Solved: Re: ACL's to prevent outbound kazaa, gnutela, grokster traffic

Kevin Melton · ‎02-04-2003

Good morning

I have a customer who has an edge router 3640 style. This is an educational facility, the network admin really does not mind students pulling music down, he simply does not want extraneous hosts pulling music outbound off of student boxes from his network.

I want to build access-lists on this 3640 to prevent the outbound connections for these music services...

The inside network numbers are 192.240.88.0 for example....

pls help...

beth-martin · ‎02-10-2003

It relly depends on your music file sharing protocol. For example, to configure an access list to block KazaA, the access list statement would be something like

access-list out deny tcp host x.x.x.x any eq 1214

access-list out permit ip any any

Here is more information you might help you. Some of this information is old and it might not be be applicable. It would thus be a good idea to cross check the same.

App: Kazaa and Morpheus

Block clients connecting to each other and the application is broken.

-Deny TCP and UDP 1214

App: WinMX

This package is Napster-like and requires a central site to enable file sharing. Blocking this site by it's IP prevents it's use.

App: AudioGalaxy Satellite

This package uses higher ports to search AudioGalaxy Satellite servers and FTP (TCP 21 and TCP 20) to perform the actual file transfers. Also blocking the AudioGalaxy netblock should help. Completely denying FTP will prevent this service as well.

-Deny TCP and UDP TCP 41000-42000

App: Napigator

Napster like tool, requires central site to function. Blocking the central site blocks Napigator.

App: Freenet

The only effective way to catch this type of traffic is watching the header traffic for telltales. Many packetfilters allow searching the first packet of a stream for string matches. Generally speaking, the implementation of this kind of filter is outside of the scope of a simple HOW-TO doc. The protocol is built from the groundup to not rely on any specific port. For more information refer to

http://freenetproject.org.

App: Napster

Block access to the Napster central netblocks (these could change periodically) this prevent Napster use:

-Deny traffic to destination and any traffic from source.

Block access to peer file shares, only filter default ports. This could break some internet usage (very doubtful) but would prevent Napster usage if the above netblock were to change to another set of addresses.

-Deny traffic to destination: 0.0.0.0/0 TCP 6699

-Deny traffic from source: 0.0.0.0/0 TCP 6699

-Deny traffic to destination: 0.0.0.0/0 UDP 6699

-Deny traffic from source: 0.0.0.0/0 UDP 6699

App: Aimster

Blocking Aimster requires blocking AOL Instant Messenger (AIM). AIM is getting harder to block without the use of a filter or proxy that looks at TCP 80 (Web) traffic and verifies that in fact only HTTP traffic is passing on this port. Using the following filters make AIM (and Aimster) much harder to use.

Block client ICQ/AIM traffic

-Deny traffic to destination: 0.0.0.0/0 TCP 5190

-Deny traffic from source: 0.0.0.0/0 TCP 5190

-Deny traffic to destination: 0.0.0.0/0 UDP 5190

-Deny traffic from source: 0.0.0.0/0 UDP 5190

Since AIM can also use TCP 13, 23, 80, 113, and others, it might be best to blocklist AOL sites altogether or only allow DNS lookups. This solution pretty much break AOL access from within so use carefully. The best solution is outlined above, filter TCP 5190 and UDP 5190 as well as use filters or proxies that don't allow non-HTTP traffic to use TCP 80.

App: iMesh

Blocking access to the iMesh central server breaks iMesh.

App: eDonkey

Block clients connecting to the server

-Deny traffic to destination: 0.0.0.0/0 TCP 4661

-Deny traffic from source: 0.0.0.0/0 TCP 4661

-Deny traffic to destination: 0.0.0.0/0 UDP 4665

-Deny traffic from source: 0.0.0.0/0 UDP 4665

Block clients connecting to each other

-Deny traffic to destination: 0.0.0.0/0 TCP 4662

-Deny traffic from source: 0.0.0.0/0 TCP 4662

App: Gnutella (also BearShare, ToadNode, Limewire, Gnucleus, and others)

When left at the default settings, Gnutella can be blocked as follows.

Block clients connecting to each other

-Deny traffic to destination: 0.0.0.0/0 TCP 6345-6349

-Deny traffic from source: 0.0.0.0/0 TCP 6345-6349

-Deny traffic to destination: 0.0.0.0/0 UDP 6345-6349

-Deny traffic from source: 0.0.0.0/0 UDP 6345-6349

View solution in original post

beth-martin · ‎02-10-2003

It relly depends on your music file sharing protocol. For example, to configure an access list to block KazaA, the access list statement would be something like

access-list out deny tcp host x.x.x.x any eq 1214

access-list out permit ip any any

Here is more information you might help you. Some of this information is old and it might not be be applicable. It would thus be a good idea to cross check the same.

App: Kazaa and Morpheus

Block clients connecting to each other and the application is broken.

-Deny TCP and UDP 1214

App: WinMX

This package is Napster-like and requires a central site to enable file sharing. Blocking this site by it's IP prevents it's use.

App: AudioGalaxy Satellite

This package uses higher ports to search AudioGalaxy Satellite servers and FTP (TCP 21 and TCP 20) to perform the actual file transfers. Also blocking the AudioGalaxy netblock should help. Completely denying FTP will prevent this service as well.

-Deny TCP and UDP TCP 41000-42000

App: Napigator

Napster like tool, requires central site to function. Blocking the central site blocks Napigator.

App: Freenet

The only effective way to catch this type of traffic is watching the header traffic for telltales. Many packetfilters allow searching the first packet of a stream for string matches. Generally speaking, the implementation of this kind of filter is outside of the scope of a simple HOW-TO doc. The protocol is built from the groundup to not rely on any specific port. For more information refer to

http://freenetproject.org.

App: Napster

Block access to the Napster central netblocks (these could change periodically) this prevent Napster use:

-Deny traffic to destination and any traffic from source.

Block access to peer file shares, only filter default ports. This could break some internet usage (very doubtful) but would prevent Napster usage if the above netblock were to change to another set of addresses.

-Deny traffic to destination: 0.0.0.0/0 TCP 6699

-Deny traffic from source: 0.0.0.0/0 TCP 6699

-Deny traffic to destination: 0.0.0.0/0 UDP 6699

-Deny traffic from source: 0.0.0.0/0 UDP 6699

App: Aimster

Blocking Aimster requires blocking AOL Instant Messenger (AIM). AIM is getting harder to block without the use of a filter or proxy that looks at TCP 80 (Web) traffic and verifies that in fact only HTTP traffic is passing on this port. Using the following filters make AIM (and Aimster) much harder to use.

Block client ICQ/AIM traffic

-Deny traffic to destination: 0.0.0.0/0 TCP 5190

-Deny traffic from source: 0.0.0.0/0 TCP 5190

-Deny traffic to destination: 0.0.0.0/0 UDP 5190

-Deny traffic from source: 0.0.0.0/0 UDP 5190

Since AIM can also use TCP 13, 23, 80, 113, and others, it might be best to blocklist AOL sites altogether or only allow DNS lookups. This solution pretty much break AOL access from within so use carefully. The best solution is outlined above, filter TCP 5190 and UDP 5190 as well as use filters or proxies that don't allow non-HTTP traffic to use TCP 80.

App: iMesh

Blocking access to the iMesh central server breaks iMesh.

App: eDonkey

Block clients connecting to the server

-Deny traffic to destination: 0.0.0.0/0 TCP 4661

-Deny traffic from source: 0.0.0.0/0 TCP 4661

-Deny traffic to destination: 0.0.0.0/0 UDP 4665

-Deny traffic from source: 0.0.0.0/0 UDP 4665

Block clients connecting to each other

-Deny traffic to destination: 0.0.0.0/0 TCP 4662

-Deny traffic from source: 0.0.0.0/0 TCP 4662

App: Gnutella (also BearShare, ToadNode, Limewire, Gnucleus, and others)

When left at the default settings, Gnutella can be blocked as follows.

Block clients connecting to each other

-Deny traffic to destination: 0.0.0.0/0 TCP 6345-6349

-Deny traffic from source: 0.0.0.0/0 TCP 6345-6349

-Deny traffic to destination: 0.0.0.0/0 UDP 6345-6349

-Deny traffic from source: 0.0.0.0/0 UDP 6345-6349

Kevin Melton · ‎02-10-2003

Beth

Thanks so much for taking the time to document all this! I cant believe you went to such lengths and am extremely grateful for your help!

I will be attempting these configs soon...

shannong · ‎02-25-2003

You can use NBAR to identify the traffic and then drop it. This example below uses the PDLMs of NBAR to identify the traffic coming in interface serial 0, then sets the DSCP to be 3, and the access-list on ethernet 0 drops the traffic.

class-map match-any TEMP

match protocol kazaa2

match protocol napster

match protocol gnutella

match protocol fasttrack

Then mark the traffic:

policy-map Test

class-map TEMP

set qos dscp 3

interface serial 0

service-policy in TEST

interface ethernet 0

ip access-group 100 out

access-list 100 deny ip any any dscp 3

access-list 100 permit ip any any