Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1127
Views
0
Helpful
4
Replies

kazaa and aimster

unixwiz
Level 1
Level 1

‎11-13-2001 10:17 AM - edited ‎03-08-2019 09:09 PM

We have a pix 506 forewall and am having problems with Kazaa and aimster users. Is there a way to block those programs at the pix or do you have to block all mp3's? Thanks

Labels:
0 Helpful
4 Replies 4

ontrack
Level 1
Level 1

‎11-13-2001 01:27 PM

You can block outgoing traffic that is going to any address port 1214 to disable Kazaa. I am not sure about aimster.

0 Helpful

bfetzer
Level 1
Level 1

‎11-14-2001 07:33 AM

Set rules by using the outbound command. I have 2 sets of outbound commands set on our 2 PIX 520's, we also have PIX 506. I have an implicit DENY statement at the beginning of the first outbound rule. Then I simply open the ports that users actually NEED. Now the main problem with this is that newer chat/IM clients will simply ride other ports to get out. Take yahoo instant messanger for instance. That is a very "intuitive program". It will ride port 80 and other very common ports including telnet and ftp to get out. WOW! tough to block right? well I just installed the app (Yahoo IM) and simply watched which specific chat servers it attached to. I then created outbound list number 2 to block each specific server for yahoo and MSN. At this point I have had no problem blocking AOL IM. It seems it just rides out on it's specific set of port lists. I haven't messed with ICQ though..

here's my rule set. These are the rules remember you still have to apply them .. I will post that as well for each rule

outbound 1 deny 0.0.0.0 0.0.0.0 0 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 80 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 80 udp

outbound 1 permit 0.0.0.0 0.0.0.0 53 udp

outbound 1 permit 0.0.0.0 0.0.0.0 53 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 20 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 20 udp

outbound 1 permit 0.0.0.0 0.0.0.0 21 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 21 udp

outbound 1 permit 0.0.0.0 0.0.0.0 25 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 25 udp

outbound 1 permit 0.0.0.0 0.0.0.0 443 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 443 udp

outbound 1 permit 0.0.0.0 0.0.0.0 1352 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 1352 udp

outbound 1 permit 0.0.0.0 0.0.0.0 3571 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 3571 udp

outbound 1 permit 0.0.0.0 0.0.0.0 7071 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 7070 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 554 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 6970 udp

outbound 1 permit 0.0.0.0 0.0.0.0 7170 udp

outbound 1 permit 0.0.0.0 0.0.0.0 8008 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 8008 udp

outbound 1 permit 0.0.0.0 0.0.0.0 8080 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 8080 udp

outbound 1 permit 0.0.0.0 0.0.0.0 3389 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 3389 udp

outbound 1 permit 192.168.7.218 255.255.255.255 1214 tcp

outbound 1 permit 192.168.7.218 255.255.255.255 1214 udp

outbound 1 permit 192.168.2.150 255.255.255.255 1214 tcp

outbound 1 permit 192.168.2.150 255.255.255.255 1214 udp

outbound 1 permit 192.168.2.80 255.255.255.255 1214 tcp

outbound 1 permit 192.168.2.80 255.255.255.255 1214 udp

outbound 1 permit 192.168.7.73 255.255.255.255 110 tcp

outbound 1 permit 192.168.7.73 255.255.255.255 110 udp

outbound 1 deny 64.4.13.179 255.255.255.255 0 ip

outbound 2 deny 64.4.13.179 255.255.255.255 0 ip

outbound 2 deny 64.4.13.179 255.255.255.255 80 ip

outbound 2 deny 64.4.13.175 255.255.255.255 0 ip

outbound 2 deny 64.4.13.170 255.255.255.255 0 ip

outbound 2 deny 216.136.227.168 255.255.255.255 0 ip

outbound 2 deny 216.136.224.213 255.255.255.255 0 ip

outbound 2 deny 216.136.225.35 255.255.255.255 0 ip

outbound 2 deny 216.136.226.117 255.255.255.255 0 ip

outbound 2 deny 216.136.131.93 255.255.255.255 0 ip

outbound 2 deny 216.136.227.166 255.255.255.255 0 ip

outbound 2 deny 216.136.227.167 255.255.255.255 0 ip

outbound 2 deny 199.172.158.95 255.255.255.255 0 ip

outbound 2 deny 199.172.158.96 255.255.255.255 0 ip

outbound 2 deny 216.136.224.143 255.255.255.255 0 ip

outbound 2 deny 216.136.224.142 255.255.255.255 0 ip

Some of the rules may be overdoing it, but it does work very very well. the first outbound rule is applied by issuing this command:

apply (inside) 1 outgoing_src

This command will set the second outbound rule (this takes care of the MSN/YAHOO servers .

apply (inside) 2 outgoing_dest

As you can see I do have an allow for a couple people to use Kazaa... one being myself, man i'm a hypocrite. IN any case this stuff can be pretty fun and easy, just look up more topics on Cisco's website for help with this

0 Helpful

rstaaf
Level 1
Level 1
In response to bfetzer

‎11-14-2001 07:45 AM

This approach may be working for you right now but, I guarantee you that you have not blocked all of the servers. AOL for example has hundreds of servers dedicated to AIM, the same goes for Yahoo and MSN just to name a few. I am not saying that it cannot be done but, you have to keep a constant eye on it to catch any new servers that pop up as their networks are constantly growing and they add new servers regularly do to keep up with the demand which is also growing.

Bob

0 Helpful

bfetzer
Level 1
Level 1
In response to rstaaf

‎11-14-2001 10:47 AM

Excellent point. That was a truncated version, I have had to add more. Kazaa on the other hand should be done with that set of rules. It runs over port 1214. On to MSN. Something I did find interesting with msn is this. It seems to be very dependant on one single server or set of servers being served by round robin DNS or something like that. Now realistically would it be surprising for M$ to do this given their track record? I started blocking all the "chat" servers. But their was one single server that I didn't block. Once I noticed it and took care of it, bam no matter how long I left the client on it wouldn't work no matter what I tried. If their is a better way to do this please let me know?!

Notice below the various chat servers with names httpXX.msgr.hotmail.com where XX= number of server

well now keep looking down the list and see that when I simply blocked gateway.messenger.hotmail.com nothing... I mean nothing from MSN IM worked... Would Microsoft really be this dumb? I dunno, but for now it IS working. I started blocking it server by server until I found that one and boom dead.

TCP 192.168.7.218 3886 64.4.13.182 http TIME_WAIT http12.msgr.hotmail.com

TCP 192.168.7.218 3895 64.4.13.170 http TIME_WAIT gateway.messenger.hotmail.com

TCP 192.168.7.218 3896 64.4.13.171 http ESTABLISHED http1.msgr.hotmail.com MSMSGS.EXE

TCP 192.168.7.218 3911 64.4.13.170 http TIME_WAIT gateway.messenger.hotmail.com

TCP 192.168.7.218 3912 64.4.13.176 http ESTABLISHED http6.msgr.hotmail.com MSMSGS.EXE

0 Helpful
Customers Also Viewed These Support Documents