Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1627
Views
1
Helpful
3
Replies

Blocking Real Audio & Video

prakashj
Level 1
Level 1

‎09-14-2004 09:18 AM - edited ‎03-09-2019 08:47 AM

Hi frnds

I'm very new at configuring a PIX. I hope someone can help me. I'm trying to configure my PIX to block the Real Audio and Video streaming.

After doing a little reading I found out that the Real Audio & Video make use of the Following ports

TCP : 7070

UDP : 6970 - 7170

I can block the TCP port 7070 by applying access-lists. But how do I block the 200 UDP ports?? Is the fixup protocol rtsp 554 somehow related to this??

do I have to disable that to block the ports??

All your help is appreciated

Thankyou

Labels:
0 Helpful
3 Replies 3

piseli
Level 1
Level 1

‎09-14-2004 10:54 AM

Block tcp port 7070 on the inside network and remove the fixup rtsp from the config.

example:

access-list inside deny tcp any any eq 7070

access-list inside permit ip any any

access-group inside in interface inside

# This will block all outbound tcp 7070 connections

# from the inside interface.

no fixup protocol rtsp 554

# Real-Audio uses rtsp if there is no fixup there cannot be real-audio.

Try this !!

Some information:

REAL AUDIO, tcp port 7070, udp ports 6170-7170, Rather than just opening these ports a slightly safer configuration can be achieved by careful configuration of the TCP port connection. The TCP port 7070 is used by the client to initiate a conversation with an external RealServer, to authenticate the player to the server, and to pass control messages during playback (e.g., pausing or stopping the audio stream). Since you do not want incoming connection attempts on this port, you should configure the router's access control list to allow TCP connections on port 7070 to be initiated from the inside network exclusively. Incoming traffic, on the other hand, should only be allowed if it is part of an ongoing connection. This is assured by requiring incoming TCP packets to have the ACK bit set in the TCP header carried by every packet. The syntax for specifying that the ACK bit must be set varies with the kind of router you own, but for Cisco routers the flag "ESTABLISHED" can be put at the end of the line in an access rule to specify that an incoming packet must be part of an ongoing conversation.

http://www.linnetsol.co.uk/port-filter.asp

Real Time Streaming Protocol (RTSP)

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1063957

sincerely

Patrick

prakashj
Level 1
Level 1
In response to piseli

‎09-14-2004 11:34 PM

Hi Patrick

Thankyou for replying. I have already tried applying the access-lists to the Inside Interface and also the no fixup rtsp 554 command but it still didn't block the real audio streaming. I even made sure that both my primary and failover Firewalls have the same configuration.

I'm still trying to figure out how to block the UDP traffic.

Thankyou

0 Helpful

piseli
Level 1
Level 1
In response to prakashj

‎09-15-2004 10:00 AM

I found more details on the Real Player web site:

http://service.real.com/firewall/adminfw.html

block TCP port 7070 - 7071

block TCP port 554

block incomming UDP ports 6970 - 7170

block TCP 554

It is also posible to define in the Real Player Preferences the incomming UDP Ports and somr Proxy settings.

good luck

Patrick

0 Helpful
Customers Also Viewed These Support Documents