I orginally wrote this for my boss and his home network. As I state in my original message, I researched this but did not test a lot of the advice personally (no flames, I warned you not to take this at full face value). This writeup covers Morpheus and many other like-topic applications. Please excuse some of the fluff, it was originally for my boss after all... :)
-----Original Message----- From: Smith, Steve Sent: Monday, January 07, 2002 1:37 PM Couple of quick notes, I've used CIDR notation where needed. This notation represents the subnet mask to match to the rule. An example is 10.0.0.0/8 instead of stating 10.0.0.0 to 10.255.255.255 or using longhand subnet masks like 255.0.0.0, etc... I've used 0.0.0.0/0 to represent the concept of 'all hosts'. FYI, using these rules, even correctly, can break things you may need in order to do business. This is unlikely but possible. They really should have a better look at their corporate Internet usage policy to address these concerns. Last warning: I did three or four hours of basic research on this topic and I didn't test any of these rules or verify the information I found. Caveat Emptor... App: WinMX This package is Napster-like and requires a central site to enable file sharing. Blocking this site prevents it's use. -Deny traffic from source: 209.61.186.0/24 -Deny traffic to destination: 209.61.186.0/24 -Deny traffic from source: 64.49.201.0/24 -Deny traffic to destination: 64.49.201.0/24 App: AudioGalaxy Satellite This package uses higher ports to search AudioGalaxy Satellite servers and FTP (TCP 21 and TCP 20) to perform the actual file transfers. Also blocking the AudioGalaxy netblock should help. Completely denying FTP will prevent this service as well. -Deny traffic to destination: 0.0.0.0/0 TCP 41000-42000 -Deny traffic from source: 0.0.0.0/0 TCP 41000-42000 -Deny traffic to destination: 0.0.0.0/0 UDP 41000-42000 -Deny traffic from source: 0.0.0.0/0 UDP 41000-42000 -Deny traffic to destination: 64.245.58.0/23 App: Napigator Napster like tool, requires central site to function. Blocking the central site blocks Napigator. -Deny traffic to destination: 209.25.178.0/24 -Deny traffic from source: 209.25.178.0/24 App: Freenet The only effective way to catch this type of traffic is watching the header traffic for telltales. Many packetfilters allow searching the first packet of a stream for string matches. Generally speaking, the implementation of this kind of filter is outside of the scope of a simple HOW-TO doc. The protocol is built from the groundup to not rely on any specific port. For more information refer to http://freenetproject.org. App: Napster Block access to the Napster central netblocks (these could change periodically) this prevent Napster use: -Deny traffic to destination: 64.124.41.0/24 -Deny traffic from source: 64.124.41.0/24 Block access to peer file shares, only filter default ports. This could break some internet usage (very doubtful) but would prevent Napster usage if the above netblock were to change to another set of addresses. -Deny traffic to destination: 0.0.0.0/0 TCP 6699 -Deny traffic from source: 0.0.0.0/0 TCP 6699 -Deny traffic to destination: 0.0.0.0/0 UDP 6699 -Deny traffic from source: 0.0.0.0/0 UDP 6699 App: Aimster Blocking Aimster requires blocking AOL Instant Messenger (AIM). AIM is getting harder to block without the use of a filter or proxy that looks at TCP 80 (Web) traffic and verifies that in fact only HTTP traffic is passing on this port. Using the following filters make AIM (and Aimster) much harder to use. Block client ICQ/AIM traffic -Deny traffic to destination: 0.0.0.0/0 TCP 5190 -Deny traffic from source: 0.0.0.0/0 TCP 5190 -Deny traffic to destination: 0.0.0.0/0 UDP 5190 -Deny traffic from source: 0.0.0.0/0 UDP 5190 Since AIM can also use TCP 13, 23, 80, 113, and others, it might be best to blocklist AOL sites altogether or only allow DNS lookups. This solution pretty much break AOL access from within so use carefully. The best solution is outlined above, filter TCP 5190 and UDP 5190 as well as use filters or proxies that don't allow non-HTTP traffic to use TCP 80. -Deny traffic to destination: 205.188.0.0/16 TCP 53 from Internal-DNS-box -Deny traffic from source: 205.188.0.0/16 TCP 53 from Internal-DNS-box App: iMesh Blocking access to the iMesh central server breaks iMesh. -Deny traffic to destination: 216.35.208.0/24 -Deny traffic from source: 216.35.208.0/24 App: eDonkey Block clients connecting to the server -Deny traffic to destination: 0.0.0.0/0 TCP 4661 -Deny traffic from source: 0.0.0.0/0 TCP 4661 -Deny traffic to destination: 0.0.0.0/0 UDP 4665 -Deny traffic from source: 0.0.0.0/0 UDP 4665 Block clients connecting to each other -Deny traffic to destination: 0.0.0.0/0 TCP 4662 -Deny traffic from source: 0.0.0.0/0 TCP 4662 App: Gnutella (also BearShare, ToadNode, Limewire, Gnucleus, and others) When left at the default settings, Gnutella can be blocked as follows. Block clients connecting to each other -Deny traffic to destination: 0.0.0.0/0 TCP 6345-6349 -Deny traffic from source: 0.0.0.0/0 TCP 6345-6349 -Deny traffic to destination: 0.0.0.0/0 UDP 6345-6349 -Deny traffic from source: 0.0.0.0/0 UDP 6345-6349 App: Kazaa and Morpheus Block clients connecting to each other and the application is broken. -Deny traffic to destination: 0.0.0.0/0 TCP 1214 -Deny traffic from source: 0.0.0.0/0 TCP 1214 -Deny traffic to destination: 0.0.0.0/0 UDP 1214 -Deny traffic from source: 0.0.0.0/0 UDP 1214 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
