Maybe this will help. This is for the CISCO PIX firewall, but the ports and ip's should work on other firewalls.
Heath Calhoun Hi Gang, For those of you unfamiliar with Outbound/Apply, I have converted the outbound statments to an access-list. Be certain that the last statement in this list is a "permit ip any any". Bind this list to any interface you want to block these ports. Please note that many of the deny statements became unnecessary once the outbound was converted. ie: if you permit access to only port 80, you don't need an explicit deny for the other ports. I have translated these without the benefit of a PIX at my disposal, so please don't judge me too harshly if there are mistakes. As Brian cautioned previously, please TEST before applying to a production PIX. Enjoy, Dave Yahoo Ports: Access-list 101 deny any tcp any any eq 5000 Access-list 101 deny any tcp any any eq 5001 Access-list 101 deny any tcp any any eq 5050 Access-list 101 deny any tcp any any eq 5100 Access-list 101 deny any udp any any eq 5050 Access-list 101 deny any udp any any eq 5100 AOL Ports (also one ICQ): Access-list 101 deny any tcp any any range 5190 5193 Access-list 101 deny any udp any any range 5190 5193 Gnutella (non-transforming): Access-list 101 deny any tcp any any eq 6346 Access-list 101 deny any tcp any any eq 6347 Access-list 101 deny any udp any any eq 6346 Access-list 101 deny any udp any any eq 6347 IRC: Access-list 101 deny any tcp any any range 6665 6669 Access-list 101 deny any udp any any range 6665 6669 ICQ: Access-list 101 deny any udp any any eq 4000 MSN: Access-list 101 deny any tcp any any eq 1863 iChat: Access-list 101 deny any tcp any any eq 4020 Access-list 101 deny any udp any any eq 4020 e-share-chat: Access-list 101 deny any tcp any any eq 5760 Misc Chat ports: Access-list 101 deny any tcp any any range 9992 9998 Access-list 101 deny any udp any any range 9992 9998 Quake Gaming: Access-list 101 deny any tcp any any eq 26000 Access-list 101 deny any udp any any eq 26000 MSN Gaming: Access-list 101 deny any tcp any any range 28800 29000 Access-list 101 deny any udp any any range 28800 29000 Doom Gaming: Access-list 101 deny any tcp any any eq 666 Access-list 101 deny any udp any any eq 666 AOL Servers: Access-list 101 permit any tcp any 205.188.0.0 255.255.0.0 eq www Access-list 101 permit any tcp any 64.12.0.0 255.255.0.0 eq www Yahoo Servers: Access-list 101 permit any tcp any host 216.136.225.12 eq www Access-list 101 permit any tcp any host 216.136.175.143 eq www Access-list 101 permit any tcp any host 216.136.175.144 eq www Access-list 101 permit any tcp any host 216.136.175.145 eq www Access-list 101 permit any tcp any host 216.136.226.209 eq www Access-list 101 permit any tcp any host 216.136.226.210 eq www Access-list 101 permit any tcp any host 216.136.227.166 eq www Access-list 101 permit any tcp any host 216.136.227.167 eq www Access-list 101 deny any tcp any host 216.136.225.83 Access-list 101 deny any tcp any host 216.136.225.48 ICQ Servers: Access-list 101 permit any tcp any 64.12.162.0 255.255.254.0 eq www MSN Servers: Access-list 101 permit any tcp any 64.4.13.129 255.255.255.128 eq www >From: "brford" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: [PIX_Firewall] Blocking Chat & Gaming Apps >Date: Mon, 25 Feb 2002 14:01:31 -0000 >MIME-Version: 1.0 > >List, > >I found this post on another list. As always you should attempt to >verify before actually implementing it yourself. Also note that the >author was using an older PIX OS and wrote this using "outbound" >commands. It should be updated to ACLs. > >Liberty for All, > >Brian > >QUOTE > >Hi All. As with many comapanies, our IT department was asked if it >would be possible to block all chatting ports. Apparently a good >deal of the employees were spending a little too much time talking >with friends rather than working. The other senior admin and myself >came up with the list of ports and servers that had to be blocked, >and came up with quite list! > >What makes it difficult in some cases is that the chat services can >use just about any port as an alternative to their defaults if >they're not available. The way around this was to block login and >authentication abilities on the parent servers. The following is a >list of the "outbound deny" commands used to make it all work: > >Yahoo Ports: >outbound 20 deny 0.0.0.0 0.0.0.0 5000 tcp >outbound 20 deny 0.0.0.0 0.0.0.0 5001 tcp >outbound 20 deny 0.0.0.0 0.0.0.0 5050 tcp >outbound 20 deny 0.0.0.0 0.0.0.0 5100 tcp >outbound 20 deny 0.0.0.0 0.0.0.0 5050 udp >outbound 20 deny 0.0.0.0 0.0.0.0 5100 udp > >AOL Ports (also one ICQ): >outbound 20 deny 0.0.0.0 0.0.0.0 5190-5193 tcp >outbound 20 deny 0.0.0.0 0.0.0.0 5190-5193 udp > >Gnutella (non-transforming): >outbound 20 deny 0.0.0.0 0.0.0.0 6346 tcp >outbound 20 deny 0.0.0.0 0.0.0.0 6347 tcp >outbound 20 deny 0.0.0.0 0.0.0.0 6346 udp >outbound 20 deny 0.0.0.0 0.0.0.0 6347 udp > >IRC: >outbound 20 deny 0.0.0.0 0.0.0.0 6665-6669 tcp >outbound 20 deny 0.0.0.0 0.0.0.0 6665-6669 udp > >ICQ: >outbound 20 deny 0.0.0.0 0.0.0.0 4000 udp > >MSN: >outbound 20 deny 0.0.0.0 0.0.0.0 1863 tcp > >iChat: >outbound 20 deny 0.0.0.0 0.0.0.0 4020 tcp >outbound 20 deny 0.0.0.0 0.0.0.0 4020 udp > >e-share-chat: >outbound 20 deny 0.0.0.0 0.0.0.0 5760 tcp > >Misc Chat ports: >outbound 20 deny 0.0.0.0 0.0.0.0 9992-9998 tcp >outbound 20 deny 0.0.0.0 0.0.0.0 9992-9997 udp > >Quake Gaming: >outbound 20 deny 0.0.0.0 0.0.0.0 26000 tcp >outbound 20 deny 0.0.0.0 0.0.0.0 26000 udp > >MSN Gaming: >outbound 20 deny 0.0.0.0 0.0.0.0 28800-29000 tcp >outbound 20 deny 0.0.0.0 0.0.0.0 28800-29000 udp > >Doom Gaming: >outbound 20 deny 0.0.0.0 0.0.0.0 666 tcp >outbound 20 deny 0.0.0.0 0.0.0.0 666 udp > >AOL Servers: >outbound 20 deny 205.188.0.0 255.255.0.0 0 tcp >outbound 20 deny 64.12.0.0 255.255.0.0 0 tcp >outbound 20 permit 64.12.0.0 255.255.0.0 80 tcp >outbound 20 permit 205.188.0.0 255.255.0.0 80 tcp > >Yahoo Servers: >outbound 20 deny 216.136.175.143 255.255.255.255 0 tcp >outbound 20 deny 216.136.175.144 255.255.255.255 0 tcp >outbound 20 deny 216.136.175.145 255.255.255.255 0 tcp >outbound 20 deny 216.136.225.83 255.255.255.255 0 tcp >outbound 20 deny 216.136.225.48 255.255.255.255 0 tcp >outbound 20 deny 216.136.226.209 255.255.255.255 0 tcp >outbound 20 deny 216.136.226.210 255.255.255.255 0 tcp >outbound 20 deny 216.136.227.166 255.255.255.255 0 tcp >outbound 20 deny 216.136.227.167 255.255.255.255 0 tcp >outbound 20 permit 216.136.225.12 255.255.255.255 80 tcp >outbound 20 permit 216.136.175.143 255.255.255.255 80 tcp >outbound 20 permit 216.136.175.144 255.255.255.255 80 tcp >outbound 20 permit 216.136.175.145 255.255.255.255 80 tcp >outbound 20 permit 216.136.225.12 255.255.255.255 80 tcp >outbound 20 permit 216.136.226.209 255.255.255.255 80 tcp >outbound 20 permit 216.136.226.210 255.255.255.255 80 tcp >outbound 20 permit 216.136.227.166 255.255.255.255 80 tcp >outbound 20 permit 216.136.227.167 255.255.255.255 80 tcp > >ICQ Servers: >outbound 20 deny 64.12.162.0 255.255.254.0 0 tcp >outbound 20 permit 64.12.162.0 255.255.254.0 80 tcp > >MSN Servers: >outbound 20 deny 64.4.13.129 255.255.255.128 0 tcp >outbound 20 permit 64.4.13.129 255.255.255.128 80 tcp > >Now, when applying these to your firewall, make sure the number >following outbound equals that of your outbound apply statement. >Once added, these pretty much kill all chatting, some common gaming >ports, and most of the file sharing software. Because of port >transforming, it's not 100% effective for file transfer software, but >so far, it seems chatting has been completely eliminated. I hope you >find this a time-saver! :) > >UNQUOTE > > _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com ------------------------ Yahoo! Groups Sponsor ---------------------~--> Tiny Wireless Camera under $80! Order Now! FREE VCR Commander! Click Here - Only 1 Day Left! http://us.click.yahoo.com/nuyOHD/7.PDAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, March 11, 2002 1:25 PM To: [EMAIL PROTECTED] Subject: IM Programs Hello all. After watching this list for a few weeks and following one thread regarding Instant Messengers, I have this to say. I HATE INSTANT MESSENGERS. It is virtually impossible to block them with a firewall. Here is my experience with each thus far. AOL Instant Messenger - Ok, I have been able to block this one with pretty solid results. I had to pretty much block 1 class C's worth of addresses in the 64 region of AOL's address range, but have not heard any complaints thus far. The program is pretty damn smart about getting around rules in your firewall. It will try and use FTP, TELNET, HTTP, FINGER, NETBIOS over IP, APPLETALK over IP, 1080 (SOCKS), 1024, Lotus Notes (TCP 1352) and a few others. I pretty much locked the subnet down but AIM was somehow getting through. I finally figured out that my CheckPoint firewall was allowing DNS traffic outbound in my rule base above rule 1. I had to go to the Properties section and disable the implicit access to DNS (TCP/UDP 53). Once I did that, it killed AIM altogether. Yahoo Instant Messenger - Ok, this program sucks in that they spread out their Authentication servers across multiple machines and subnets. The shotgun aproach to locking down a full subnet backfired when people started to complain about not being able to access Yahoo! web mail or Yahoo Finance. I still have more work to do on this one. MSN - Eegad. This is probably the most difficult to block. From my investigation, if port 1864 is blocked (MSN's Auth port), it will use HTTP and access one of the main MSN pages. So, I have a choice; kill off access to MSN outright or allow MSN to run if people manage to install it. :( ICQ - I have not even played with this one yet, but as I remember, it will also auto-hack to get around firewalls. PROPOSAL: =========== I'd like to compile as complete a list as possible of ALL IP addresses of the hosts that the IM clients will attempt to connect to. Its a lot of work on the firewall, but its the only way I can see to stop the IM traffic and still allow web traffic to remain as unaffected as possible. If you want to mail me your IPs, I'll compile a list and post them on my web site. Thanks, Craig Brauckmiller ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ------------------------------------- PRIVACY & CONFIDENTIALITY NOTICE The information contained in this e-mail is intended for the named recipients only. It may contain privileged and confidential information, and if you are not the addressee or the person responsible for delivering this to the addressee, you may not copy, distribute or take action in reliance on it. If you have received this e-mail in error, please notify us immediately by returning the original message to the sender by e-mail.
