03-27-2004 04:45 AM
I have a cisco pix 515E ver 6.0(1).
I need to block yahoo & MSN chat organisation wide.How do I do it?
Is there any way to block uisng Cisco PIX ,I do not want to use any application s/w or proxy server to do this.
I tried to use conduit statements but that did not work.
Currently I am natting the whole internal suubnet to a valid ip & have not blocked anything.Can I just block chat ports if yes what are these ports.
Thanks
Regards
Mahavir
03-29-2004 07:32 AM
You can try to just block the basic "chat" ports but this will hardly stop them. The Clients will use any open port that they can to communicate with the server. You have to block ALL of the destination addresses (and there are a lot) for AOL, Yahoo, MSN, ICQ etc etc.
Checkpoint allows you to block by http header information (if using port 80) but there is no easy way around this without using application s/w as you stated you do not want to do.
Here is what I did on a client Checkpoint Firewall that is working (for now - until they add a new server)
Block Servers:
AOL
205.188.179.233
64.12.161.153
64.12.161.185
64.12.200.89
Messenger
207.46.104.20
63.208.13.126
64.4.12.200
64.4.12.201
65.54.131.249
65.54.194.118
65.54.211.61
207.46.110.2
Yahoo
66.163.168.117
216.136.173.169
66.163.173.200
216.136.128.145
216.136.128.167
66.163.168.107
66.163.169.134
66.163.169.135
216.136.224.236
216.136.173.168
216.155.193.128-216.155.193.135
216.155.193.152-216.155.193.159
216.155.193.168-216.155.193.176
Then I just blocked the basic ports for the apps (but if a new server comes on line the app can still use port 80 etc)
AOL - TCP 5190
ICQ_locator - UDP 4000
MSN Messenger
UDP 1863
UDP 5190
MSN File Transfer TCP 6891-6900
MSN Messenger - TCP1863
MSN Messenger Voice - UDP 6901
Yahoo
TCP 5050
Voice Chat - TCP 5000-5001
Webcams - TCP 5100
UDP 5000-5010
03-30-2004 11:32 PM
When it comes to filtering such specific traffic, you may have some problems configuring that on a PIX. You could block the destination addresses, but a much better solution is to use some sort of filtering. I sugest you use Web Sence (http://www.websense.com/) or N2H2 (http://www.n2h2.com/). N2H2 version I used (well tried to use) was for RedHat advance servers. WebSence how ever works just fine. This will not only allow you to filter out chat, but practicly anything you might want to.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide