Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Pix 515R- How to block peer2peer networks ? 2
- Thread starter ccnjra
- Start date
-
2
- #2
HI.
One way is to check the ports and or ip addresses used by those applications, then use ACL to block them.
You can get info at a pix telnet session with the command:
show conn
And you can get info at the client using the command:
netstat
Another and probably better solution is to block everthing, then only allow the required ports. This will block applications that use their own TCP ports.
For applications that use ports like 80 you'll need to revert to the first option I suggested.
Such problems can also be reduced in other ways, for example you can send an email to all workers simply to tell them not to use such apps and explain why, then ask them to uninstall if they have installed it.
One part of implementing the company policy is to tell the people what the policy is.
Bye
Yizhar Hurwitz
One way is to check the ports and or ip addresses used by those applications, then use ACL to block them.
You can get info at a pix telnet session with the command:
show conn
And you can get info at the client using the command:
netstat
Another and probably better solution is to block everthing, then only allow the required ports. This will block applications that use their own TCP ports.
For applications that use ports like 80 you'll need to revert to the first option I suggested.
Such problems can also be reduced in other ways, for example you can send an email to all workers simply to tell them not to use such apps and explain why, then ask them to uninstall if they have installed it.
One part of implementing the company policy is to tell the people what the policy is.
Bye
Yizhar Hurwitz
- Thread starter
- #3
HI.
Simply go strait forward:
access-list frominside permit tcp any any eq http
access-list frominside permit tcp any any eq 443
access-list frominside permit tcp any any eq smtp
access-list frominside permit udp any any eq 53
access-list frominside permit tcp any any eq 53
access-list frominside permit icmp any any
access-grup from inside in interface inside
Then debug and fine-tune.
If you have ver 6.x of the PIX, you can use PDM for easier ACL management.
Bye
Yizhar Hurwitz
Simply go strait forward:
access-list frominside permit tcp any any eq http
access-list frominside permit tcp any any eq 443
access-list frominside permit tcp any any eq smtp
access-list frominside permit udp any any eq 53
access-list frominside permit tcp any any eq 53
access-list frominside permit icmp any any
access-grup from inside in interface inside
Then debug and fine-tune.
If you have ver 6.x of the PIX, you can use PDM for easier ACL management.
Bye
Yizhar Hurwitz
Hi
I've got the same problem, P2P application generaly use ports higher than 1024 therefore I have blocked all ports over 1024 with the following statement :
access-list FromInside deny udp any any range 1025 65535
access-list FromInside deny tcp any any range 1025 65535
For your info. KaZaa use port 1214b and gnutella 6346 + 6347
Bye
I've got the same problem, P2P application generaly use ports higher than 1024 therefore I have blocked all ports over 1024 with the following statement :
access-list FromInside deny udp any any range 1025 65535
access-list FromInside deny tcp any any range 1025 65535
For your info. KaZaa use port 1214b and gnutella 6346 + 6347
Bye
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question