RE: PIX525\Web Sense and Chat programs [7:46013]
Cisco People This is how u block Messenger access on a PIX firewall and it works Some might ask why not just block all and permit the other, and this is the way I would like to do it one day, But to encounter the least amount of down time I chose to apply in this fashion. To block chat programs, simply use access-list on PIX. Some of the common chat programs use following ports **common chat ports** tcp 6667 (irc) 6660- 6670 (the default being 6667). tcp 6665-6669 (common IRC) tcp 5190 (aol) tcp 5190, dyn >=1024 (aol ICQ) tcp/udp 5190-5193 (aol) tcp 1863 (msn) tcp/udp 4020 (ichat) tcp 5000-5001 and udp 5000-5010 (Yahoo voice chat) tcp 5050 (Yahoo messages) tcp 5100 (Yahoo Webcams) Below you can get the config for the pix access-list acl_inside deny tcp any any eq aol access-list acl_inside deny tcp any any eq 1024 access-list acl_inside deny tcp any any eq 1863 access-list acl_inside deny tcp any any eq 4020 access-list acl_inside deny tcp any any eq 5050 access-list acl_inside deny tcp any any eq 5100 access-list acl_inside deny udp any any eq 4020 access-list acl_inside deny tcp any any range 6665 6669 access-list acl_inside deny udp any any range 5190 5193 access-list acl_inside deny tcp any any range 6660 6670 access-list acl_inside deny tcp any any range 5000 5001 access-list acl_inside permit tcp any any Hope this helps someone Thanks Rob -Original Message- From: Mears, Rob Sent: Monday, June 10, 2002 8:11 AM To: [EMAIL PROTECTED] Subject: RE: PIX525\Web Sense and Chat programs [7:46013] Very well Thanks Rob -Original Message- From: Roberts, Larry [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 2:25 PM To: Mears, Rob; [EMAIL PROTECTED] Subject: RE: PIX525\Web Sense and Chat programs [7:46013] For aol just block access to the login servers. Login.oscar.aol.com ( it used to be this ) For Yahoo, it much more difficult, and time consuming. You will also inadvertanly block access to some portions of the yahoo website. I used a sniffer and my PC to see what servers that YIM logged into. I would block the one I connected to, and then restart the sniffer and the software. It took about 8 hours, but I managed to block YIM. Of course that was after they told me it couldn't be done :) Yahoo made a bad mistake telling me that. ICQ uses TCP 6667 If I remember correctly. Since I have only allowed certain traffic through the FW, It was already blocked. It takes time to get it figured out, but these programs CAN be blocked. If nothing else, just deny access to all of yahoo, but inserting a bad yahoo.com in your domain server! Thanks Larry -Original Message- From: Mears, Rob [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 9:31 AM To: [EMAIL PROTECTED] Subject: PIX525\Web Sense and Chat programs [7:46013] Hello Cisco people We are using Web Sense to block most of the Sites that we feel necessary but have had problems with programs like AOL, MSN, ICQ chat programs. So I am going to stop this at the PIX and was wonder who out there had blocked Chat programs in the enterprise, and methods used. I fully understand the steps needed to block what is needed on the PIX but was wanting to hear horror storied or problems you might have encountered. I would also like to know what sites (address\protocols) you had to block to stop these programs because some are http based. (AIM, MSN,ect). For those of you who have applied rules to the inside interface of the pix, did you notice any performance issues or any other problem related to having all outbound traffic filtered? Thank you Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Valor Telecom.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46207&t=46013 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX525\Web Sense and Chat programs [7:46013]
Very well Thanks Rob -Original Message- From: Roberts, Larry [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 2:25 PM To: Mears, Rob; [EMAIL PROTECTED] Subject: RE: PIX525\Web Sense and Chat programs [7:46013] For aol just block access to the login servers. Login.oscar.aol.com ( it used to be this ) For Yahoo, it much more difficult, and time consuming. You will also inadvertanly block access to some portions of the yahoo website. I used a sniffer and my PC to see what servers that YIM logged into. I would block the one I connected to, and then restart the sniffer and the software. It took about 8 hours, but I managed to block YIM. Of course that was after they told me it couldn't be done :) Yahoo made a bad mistake telling me that. ICQ uses TCP 6667 If I remember correctly. Since I have only allowed certain traffic through the FW, It was already blocked. It takes time to get it figured out, but these programs CAN be blocked. If nothing else, just deny access to all of yahoo, but inserting a bad yahoo.com in your domain server! Thanks Larry -Original Message- From: Mears, Rob [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 9:31 AM To: [EMAIL PROTECTED] Subject: PIX525\Web Sense and Chat programs [7:46013] Hello Cisco people We are using Web Sense to block most of the Sites that we feel necessary but have had problems with programs like AOL, MSN, ICQ chat programs. So I am going to stop this at the PIX and was wonder who out there had blocked Chat programs in the enterprise, and methods used. I fully understand the steps needed to block what is needed on the PIX but was wanting to hear horror storied or problems you might have encountered. I would also like to know what sites (address\protocols) you had to block to stop these programs because some are http based. (AIM, MSN,ect). For those of you who have applied rules to the inside interface of the pix, did you notice any performance issues or any other problem related to having all outbound traffic filtered? Thank you Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Valor Telecom.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46194&t=46013 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX525\Web Sense and Chat programs [7:46013]
Could you block sites by their names such as www.yahoo.com on PX and let it resolve the names to what ever IP address yahoo is using. I don't know if this will work, may be some one will correct me If I am wrong. ""Brunner Joseph"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > forget the stupid attempts to block 5190/tcp, etc.. its best to completly > route to null or deny traffic to the subnets involved. (smarter users will > just specify to use 80 / tcp, and still get on) > > read this from a story about this.. > > As of 1:22 PM 11/21/2001 > > Login server names - set up a Deny URL access rule for these sites or > subnets since they can have several login server's per subnet as MSN > probably does > > AOL Instant Messenger: oscar.login.aol.com > AOL's login servers are on these subnets/addresses:, 205.188.3.0, > 205.188.5.0, 205.188.7.0, 64.12.161.153 and 64.12.161.185 > > MSN Messenger: gateway.messenger.hotmail.com (was > login.gateway.hotmail.com) > multiple login servers, including at least one at 64.4.13.181 called > http11.msgr.hotmail.com > > ICQ: login.icq.com and http.proxy.icq.com (Was icq.mirabilis.com and > login.icq.com previously) > ICQ's login server's 205.188.179.0, 205.188.162.0, 64.12.162.57 and > 64.12.163.132 > > Yahoo Messenger: msg.edit.yahoo.com/* > (Yahoo Messenger: Might also need to block messenger.yahoo.com/* and > http.pager.yahoo.com/* Be sure to type in the http on that last URL). > > > > AOL: > aol 5190/tcp America-Online instant messenger (client side > uses 5190 for outbound tcp connectivity to get totheir logon server > for AIM: login.oscar.aol.com > > aol 5190/udp America-Online instant messenger > aol-1 5191/tcp AmericaOnline1 tcp/ip connection option for > newer versions of AOL > aol-1 5191/udp AmericaOnline1 tcp/ip connection option for > newer versions of AOL > aol-2 5192/tcp AmericaOnline2 tcp/ip connection option for > newer versions of AOL > aol-2 5192/udp AmericaOnline2 tcp/ip connection option for > newer versions of AOL > aol-3 5193/tcp AmericaOnline3 tcp/ip connection option for > newer versions of AOL > aol-3 5193/udp AmericaOnline3 tcp/ip connection option for > newer versions of AOL > > MSN Messenger: > port 1863 tcp > > Yahoo messenger: > ports 5001,5002,5004,5005,5010 and 5050 > > Yahoo PC to Phone: > port 6801/UDP incoming and outgoing > > Streamin Video: > h263-video 2979/tcp H.263 Video Streaming > h263-video 2979/udp H.263 Video Streaming > > Instant Messaging: > wimd 2980/tcp Instant Messaging Service > wimd 2980/udp Instant Messaging Service > > > PC AnyWhere: > pcanywheredata 5631/tcp pcANYWHEREdata > pcanywheredata 5631/udp pcANYWHEREdata > pcanywherestat 5632/tcp pcANYWHEREstat > pcanywherestat 5632/udp pcANYWHEREstat > > > REAL PLAYER; REAL DOWNLOAD AND REAL JUKEBOX: > > RealServer sends all media in HTTP format. This creates more overhead on > your network than any of the other options. > As an aside, Real Download will pass > > for connecting to G2 RealServers Realplayer versions 7 and 8 > ports 6970 - 7170 in your firewall for UDP. > ports 7070 - 7071 and 554 for TCP > > connecting to pre-G2 RealServersRealplayer versions 3,4,5 and 6 > ports 7070 - 7071 in your firewall for TCP > ports 6970 - 7170 in your firewall for UDP, UDP ports 6970 - 7170 > (inclusive) for incoming traffic only > ports 6770 - 7170 in your firewall for UDP. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46084&t=46013 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX525\Web Sense and Chat programs [7:46013]
For aol just block access to the login servers. Login.oscar.aol.com ( it used to be this ) For Yahoo, it much more difficult, and time consuming. You will also inadvertanly block access to some portions of the yahoo website. I used a sniffer and my PC to see what servers that YIM logged into. I would block the one I connected to, and then restart the sniffer and the software. It took about 8 hours, but I managed to block YIM. Of course that was after they told me it couldn't be done :) Yahoo made a bad mistake telling me that. ICQ uses TCP 6667 If I remember correctly. Since I have only allowed certain traffic through the FW, It was already blocked. It takes time to get it figured out, but these programs CAN be blocked. If nothing else, just deny access to all of yahoo, but inserting a bad yahoo.com in your domain server! Thanks Larry -Original Message- From: Mears, Rob [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 9:31 AM To: [EMAIL PROTECTED] Subject: PIX525\Web Sense and Chat programs [7:46013] Hello Cisco people We are using Web Sense to block most of the Sites that we feel necessary but have had problems with programs like AOL, MSN, ICQ chat programs. So I am going to stop this at the PIX and was wonder who out there had blocked Chat programs in the enterprise, and methods used. I fully understand the steps needed to block what is needed on the PIX but was wanting to hear horror storied or problems you might have encountered. I would also like to know what sites (address\protocols) you had to block to stop these programs because some are http based. (AIM, MSN,ect). For those of you who have applied rules to the inside interface of the pix, did you notice any performance issues or any other problem related to having all outbound traffic filtered? Thank you Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Valor Telecom.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46052&t=46013 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX525\Web Sense and Chat programs [7:46013]
forget the stupid attempts to block 5190/tcp, etc.. its best to completly route to null or deny traffic to the subnets involved. (smarter users will just specify to use 80 / tcp, and still get on) read this from a story about this.. As of 1:22 PM 11/21/2001 Login server names - set up a Deny URL access rule for these sites or subnets since they can have several login server's per subnet as MSN probably does AOL Instant Messenger: oscar.login.aol.com AOL's login servers are on these subnets/addresses:, 205.188.3.0, 205.188.5.0, 205.188.7.0, 64.12.161.153 and 64.12.161.185 MSN Messenger: gateway.messenger.hotmail.com (was login.gateway.hotmail.com) multiple login servers, including at least one at 64.4.13.181 called http11.msgr.hotmail.com ICQ: login.icq.com and http.proxy.icq.com (Was icq.mirabilis.com and login.icq.com previously) ICQ's login server's 205.188.179.0, 205.188.162.0, 64.12.162.57 and 64.12.163.132 Yahoo Messenger: msg.edit.yahoo.com/* (Yahoo Messenger: Might also need to block messenger.yahoo.com/* and http.pager.yahoo.com/* Be sure to type in the http on that last URL). AOL: aol 5190/tcp America-Online instant messenger (client side uses 5190 for outbound tcp connectivity to get totheir logon server for AIM: login.oscar.aol.com aol 5190/udp America-Online instant messenger aol-1 5191/tcp AmericaOnline1 tcp/ip connection option for newer versions of AOL aol-1 5191/udp AmericaOnline1 tcp/ip connection option for newer versions of AOL aol-2 5192/tcp AmericaOnline2 tcp/ip connection option for newer versions of AOL aol-2 5192/udp AmericaOnline2 tcp/ip connection option for newer versions of AOL aol-3 5193/tcp AmericaOnline3 tcp/ip connection option for newer versions of AOL aol-3 5193/udp AmericaOnline3 tcp/ip connection option for newer versions of AOL MSN Messenger: port 1863 tcp Yahoo messenger: ports 5001,5002,5004,5005,5010 and 5050 Yahoo PC to Phone: port 6801/UDP incoming and outgoing Streamin Video: h263-video 2979/tcp H.263 Video Streaming h263-video 2979/udp H.263 Video Streaming Instant Messaging: wimd 2980/tcp Instant Messaging Service wimd 2980/udp Instant Messaging Service PC AnyWhere: pcanywheredata 5631/tcp pcANYWHEREdata pcanywheredata 5631/udp pcANYWHEREdata pcanywherestat 5632/tcp pcANYWHEREstat pcanywherestat 5632/udp pcANYWHEREstat REAL PLAYER; REAL DOWNLOAD AND REAL JUKEBOX: RealServer sends all media in HTTP format. This creates more overhead on your network than any of the other options. As an aside, Real Download will pass for connecting to G2 RealServers Realplayer versions 7 and 8 ports 6970 - 7170 in your firewall for UDP. ports 7070 - 7071 and 554 for TCP connecting to pre-G2 RealServersRealplayer versions 3,4,5 and 6 ports 7070 - 7071 in your firewall for TCP ports 6970 - 7170 in your firewall for UDP, UDP ports 6970 - 7170 (inclusive) for incoming traffic only ports 6770 - 7170 in your firewall for UDP. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46049&t=46013 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX525\Web Sense and Chat programs [7:46013]
Hello Cisco people We are using Web Sense to block most of the Sites that we feel necessary but have had problems with programs like AOL, MSN, ICQ chat programs. So I am going to stop this at the PIX and was wonder who out there had blocked Chat programs in the enterprise, and methods used. I fully understand the steps needed to block what is needed on the PIX but was wanting to hear horror storied or problems you might have encountered. I would also like to know what sites (address\protocols) you had to block to stop these programs because some are http based. (AIM, MSN,ect). For those of you who have applied rules to the inside interface of the pix, did you notice any performance issues or any other problem related to having all outbound traffic filtered? Thank you Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Valor Telecom.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46013&t=46013 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]