Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Blocking Chatting/Game use on a PIX 1

Status
Not open for further replies.
Dakiraun

Dakiraun

IS-IT--Management
Sep 28, 2000
21
0
0
CA
Hi All. As with many comapanies, our IT department was asked if it would be possible to block all chatting ports. Apparently a good deal of the employees were spending a little too much time talking with friends rather than working. The other senior admin and myself came up with the list of ports and servers that had to be blocked, and came up with quite list!

What makes it difficult in some cases is that the chat services can use just about any port as an alternative to their defaults if they're not available. The way around this was to block login and authentication abilities on the parent servers. The following is a list of the "outbound deny" commands used to make it all work:

Yahoo Ports:
outbound 20 deny 0.0.0.0 0.0.0.0 5000 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 5001 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 5050 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 5100 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 5050 udp
outbound 20 deny 0.0.0.0 0.0.0.0 5100 udp

AOL Ports (also one ICQ):
outbound 20 deny 0.0.0.0 0.0.0.0 5190-5193 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 5190-5193 udp

Gnutella (non-transforming):
outbound 20 deny 0.0.0.0 0.0.0.0 6346 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 6347 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 6346 udp
outbound 20 deny 0.0.0.0 0.0.0.0 6347 udp

IRC:
outbound 20 deny 0.0.0.0 0.0.0.0 6665-6669 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 6665-6669 udp

ICQ:
outbound 20 deny 0.0.0.0 0.0.0.0 4000 udp

MSN:
outbound 20 deny 0.0.0.0 0.0.0.0 1863 tcp

iChat:
outbound 20 deny 0.0.0.0 0.0.0.0 4020 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 4020 udp

e-share-chat:
outbound 20 deny 0.0.0.0 0.0.0.0 5760 tcp

Misc Chat ports:
outbound 20 deny 0.0.0.0 0.0.0.0 9992-9998 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 9992-9997 udp

Quake Gaming:
outbound 20 deny 0.0.0.0 0.0.0.0 26000 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 26000 udp

MSN Gaming:
outbound 20 deny 0.0.0.0 0.0.0.0 28800-29000 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 28800-29000 udp

Doom Gaming:
outbound 20 deny 0.0.0.0 0.0.0.0 666 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 666 udp

AOL Servers:
outbound 20 deny 205.188.0.0 255.255.0.0 0 tcp
outbound 20 deny 64.12.0.0 255.255.0.0 0 tcp
outbound 20 permit 64.12.0.0 255.255.0.0 80 tcp
outbound 20 permit 205.188.0.0 255.255.0.0 80 tcp

Yahoo Servers:
outbound 20 deny 216.136.175.143 255.255.255.255 0 tcp
outbound 20 deny 216.136.175.144 255.255.255.255 0 tcp
outbound 20 deny 216.136.175.145 255.255.255.255 0 tcp
outbound 20 deny 216.136.225.83 255.255.255.255 0 tcp
outbound 20 deny 216.136.225.48 255.255.255.255 0 tcp
outbound 20 deny 216.136.226.209 255.255.255.255 0 tcp
outbound 20 deny 216.136.226.210 255.255.255.255 0 tcp
outbound 20 deny 216.136.227.166 255.255.255.255 0 tcp
outbound 20 deny 216.136.227.167 255.255.255.255 0 tcp
outbound 20 permit 216.136.225.12 255.255.255.255 80 tcp
outbound 20 permit 216.136.175.143 255.255.255.255 80 tcp
outbound 20 permit 216.136.175.144 255.255.255.255 80 tcp
outbound 20 permit 216.136.175.145 255.255.255.255 80 tcp
outbound 20 permit 216.136.225.12 255.255.255.255 80 tcp
outbound 20 permit 216.136.226.209 255.255.255.255 80 tcp
outbound 20 permit 216.136.226.210 255.255.255.255 80 tcp
outbound 20 permit 216.136.227.166 255.255.255.255 80 tcp
outbound 20 permit 216.136.227.167 255.255.255.255 80 tcp

ICQ Servers:
outbound 20 deny 64.12.162.0 255.255.254.0 0 tcp
outbound 20 permit 64.12.162.0 255.255.254.0 80 tcp

MSN Servers:
outbound 20 deny 64.4.13.129 255.255.255.128 0 tcp
outbound 20 permit 64.4.13.129 255.255.255.128 80 tcp

Now, when applying these to your firewall, make sure the number following outbound equals that of your outbound apply statement. Once added, these pretty much kill all chatting, some common gaming ports, and most of the file sharing software. Because of port transforming, it's not 100% effective for file transfer software, but so far, it seems chatting has been completely eliminated. I hope you find this a time-saver! :)
 
HI.

The outbound command is only for old pix versions.
Current versions should use "access-list".

If I needed to do this, I would have go the other way around. Block everything except what you want, like

permit http
permit smtp
deny all the other.

Anyway, when it comes to programs that use port 80, it is a problem to filter it with the pix, unless you use AAA, and/or a proxy server, or block specific servers ip addresses as you did.

Anyway, thanks for the detailed info.

Bye
Yizhar Hurwitz
 
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
146
Sameer258
Sameer258
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
56
PauS0n
PauS0n
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
103
Sparrow4
Sparrow4
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
51
mcisar
mcisar
quar
  • Locked
  • Question
Moving a rule
Replies
2
Views
61
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top