-
1
- #1
Hi All. As with many comapanies, our IT department was asked if it would be possible to block all chatting ports. Apparently a good deal of the employees were spending a little too much time talking with friends rather than working. The other senior admin and myself came up with the list of ports and servers that had to be blocked, and came up with quite list!
What makes it difficult in some cases is that the chat services can use just about any port as an alternative to their defaults if they're not available. The way around this was to block login and authentication abilities on the parent servers. The following is a list of the "outbound deny" commands used to make it all work:
Yahoo Ports:
outbound 20 deny 0.0.0.0 0.0.0.0 5000 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 5001 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 5050 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 5100 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 5050 udp
outbound 20 deny 0.0.0.0 0.0.0.0 5100 udp
AOL Ports (also one ICQ):
outbound 20 deny 0.0.0.0 0.0.0.0 5190-5193 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 5190-5193 udp
Gnutella (non-transforming):
outbound 20 deny 0.0.0.0 0.0.0.0 6346 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 6347 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 6346 udp
outbound 20 deny 0.0.0.0 0.0.0.0 6347 udp
IRC:
outbound 20 deny 0.0.0.0 0.0.0.0 6665-6669 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 6665-6669 udp
ICQ:
outbound 20 deny 0.0.0.0 0.0.0.0 4000 udp
MSN:
outbound 20 deny 0.0.0.0 0.0.0.0 1863 tcp
iChat:
outbound 20 deny 0.0.0.0 0.0.0.0 4020 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 4020 udp
e-share-chat:
outbound 20 deny 0.0.0.0 0.0.0.0 5760 tcp
Misc Chat ports:
outbound 20 deny 0.0.0.0 0.0.0.0 9992-9998 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 9992-9997 udp
Quake Gaming:
outbound 20 deny 0.0.0.0 0.0.0.0 26000 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 26000 udp
MSN Gaming:
outbound 20 deny 0.0.0.0 0.0.0.0 28800-29000 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 28800-29000 udp
Doom Gaming:
outbound 20 deny 0.0.0.0 0.0.0.0 666 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 666 udp
AOL Servers:
outbound 20 deny 205.188.0.0 255.255.0.0 0 tcp
outbound 20 deny 64.12.0.0 255.255.0.0 0 tcp
outbound 20 permit 64.12.0.0 255.255.0.0 80 tcp
outbound 20 permit 205.188.0.0 255.255.0.0 80 tcp
Yahoo Servers:
outbound 20 deny 216.136.175.143 255.255.255.255 0 tcp
outbound 20 deny 216.136.175.144 255.255.255.255 0 tcp
outbound 20 deny 216.136.175.145 255.255.255.255 0 tcp
outbound 20 deny 216.136.225.83 255.255.255.255 0 tcp
outbound 20 deny 216.136.225.48 255.255.255.255 0 tcp
outbound 20 deny 216.136.226.209 255.255.255.255 0 tcp
outbound 20 deny 216.136.226.210 255.255.255.255 0 tcp
outbound 20 deny 216.136.227.166 255.255.255.255 0 tcp
outbound 20 deny 216.136.227.167 255.255.255.255 0 tcp
outbound 20 permit 216.136.225.12 255.255.255.255 80 tcp
outbound 20 permit 216.136.175.143 255.255.255.255 80 tcp
outbound 20 permit 216.136.175.144 255.255.255.255 80 tcp
outbound 20 permit 216.136.175.145 255.255.255.255 80 tcp
outbound 20 permit 216.136.225.12 255.255.255.255 80 tcp
outbound 20 permit 216.136.226.209 255.255.255.255 80 tcp
outbound 20 permit 216.136.226.210 255.255.255.255 80 tcp
outbound 20 permit 216.136.227.166 255.255.255.255 80 tcp
outbound 20 permit 216.136.227.167 255.255.255.255 80 tcp
ICQ Servers:
outbound 20 deny 64.12.162.0 255.255.254.0 0 tcp
outbound 20 permit 64.12.162.0 255.255.254.0 80 tcp
MSN Servers:
outbound 20 deny 64.4.13.129 255.255.255.128 0 tcp
outbound 20 permit 64.4.13.129 255.255.255.128 80 tcp
Now, when applying these to your firewall, make sure the number following outbound equals that of your outbound apply statement. Once added, these pretty much kill all chatting, some common gaming ports, and most of the file sharing software. Because of port transforming, it's not 100% effective for file transfer software, but so far, it seems chatting has been completely eliminated. I hope you find this a time-saver!
What makes it difficult in some cases is that the chat services can use just about any port as an alternative to their defaults if they're not available. The way around this was to block login and authentication abilities on the parent servers. The following is a list of the "outbound deny" commands used to make it all work:
Yahoo Ports:
outbound 20 deny 0.0.0.0 0.0.0.0 5000 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 5001 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 5050 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 5100 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 5050 udp
outbound 20 deny 0.0.0.0 0.0.0.0 5100 udp
AOL Ports (also one ICQ):
outbound 20 deny 0.0.0.0 0.0.0.0 5190-5193 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 5190-5193 udp
Gnutella (non-transforming):
outbound 20 deny 0.0.0.0 0.0.0.0 6346 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 6347 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 6346 udp
outbound 20 deny 0.0.0.0 0.0.0.0 6347 udp
IRC:
outbound 20 deny 0.0.0.0 0.0.0.0 6665-6669 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 6665-6669 udp
ICQ:
outbound 20 deny 0.0.0.0 0.0.0.0 4000 udp
MSN:
outbound 20 deny 0.0.0.0 0.0.0.0 1863 tcp
iChat:
outbound 20 deny 0.0.0.0 0.0.0.0 4020 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 4020 udp
e-share-chat:
outbound 20 deny 0.0.0.0 0.0.0.0 5760 tcp
Misc Chat ports:
outbound 20 deny 0.0.0.0 0.0.0.0 9992-9998 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 9992-9997 udp
Quake Gaming:
outbound 20 deny 0.0.0.0 0.0.0.0 26000 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 26000 udp
MSN Gaming:
outbound 20 deny 0.0.0.0 0.0.0.0 28800-29000 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 28800-29000 udp
Doom Gaming:
outbound 20 deny 0.0.0.0 0.0.0.0 666 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 666 udp
AOL Servers:
outbound 20 deny 205.188.0.0 255.255.0.0 0 tcp
outbound 20 deny 64.12.0.0 255.255.0.0 0 tcp
outbound 20 permit 64.12.0.0 255.255.0.0 80 tcp
outbound 20 permit 205.188.0.0 255.255.0.0 80 tcp
Yahoo Servers:
outbound 20 deny 216.136.175.143 255.255.255.255 0 tcp
outbound 20 deny 216.136.175.144 255.255.255.255 0 tcp
outbound 20 deny 216.136.175.145 255.255.255.255 0 tcp
outbound 20 deny 216.136.225.83 255.255.255.255 0 tcp
outbound 20 deny 216.136.225.48 255.255.255.255 0 tcp
outbound 20 deny 216.136.226.209 255.255.255.255 0 tcp
outbound 20 deny 216.136.226.210 255.255.255.255 0 tcp
outbound 20 deny 216.136.227.166 255.255.255.255 0 tcp
outbound 20 deny 216.136.227.167 255.255.255.255 0 tcp
outbound 20 permit 216.136.225.12 255.255.255.255 80 tcp
outbound 20 permit 216.136.175.143 255.255.255.255 80 tcp
outbound 20 permit 216.136.175.144 255.255.255.255 80 tcp
outbound 20 permit 216.136.175.145 255.255.255.255 80 tcp
outbound 20 permit 216.136.225.12 255.255.255.255 80 tcp
outbound 20 permit 216.136.226.209 255.255.255.255 80 tcp
outbound 20 permit 216.136.226.210 255.255.255.255 80 tcp
outbound 20 permit 216.136.227.166 255.255.255.255 80 tcp
outbound 20 permit 216.136.227.167 255.255.255.255 80 tcp
ICQ Servers:
outbound 20 deny 64.12.162.0 255.255.254.0 0 tcp
outbound 20 permit 64.12.162.0 255.255.254.0 80 tcp
MSN Servers:
outbound 20 deny 64.4.13.129 255.255.255.128 0 tcp
outbound 20 permit 64.4.13.129 255.255.255.128 80 tcp
Now, when applying these to your firewall, make sure the number following outbound equals that of your outbound apply statement. Once added, these pretty much kill all chatting, some common gaming ports, and most of the file sharing software. Because of port transforming, it's not 100% effective for file transfer software, but so far, it seems chatting has been completely eliminated. I hope you find this a time-saver!