Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ACCESS LIST question

Reply
Thread Tools

ACCESS LIST question

 
 
TonyF
Guest
Posts: n/a
 
      07-06-2004

Can you just block a range of ports above a certain value in order to help
prevent p2p? Or can it break other stuff, like maybe windows update?


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      07-06-2004
In article <(E-Mail Removed)>,
TonyF <(E-Mail Removed)> wrote:

:Can you just block a range of ports above a certain value in order to help
revent p2p? Or can it break other stuff, like maybe windows update?

You can safely block most high-port *destinations*.

Anything beyond about 8000 is likely fairly specialized. For example:

7001 -- windows messenger

8000, 8080, 8800, 8888 -- variant http ports (the p2p programs will
likely try these.) 8800 and 8888 are not particularily common, but
blocking 8000 and 8080 would likely end up blocking some places that
users want to see.

11371 - openPG enrollment

38293 - Norton Anti-Virus "call home" (license checking)

20050 - 20054 - often used by MS Exchange for data transfer and control
(only if you are talking to a remote MS Exchange server.)


If you do block high-numbered UDP destinations, then you would
probably break Unix traceroute (windows tracert works by icmp by
default). The exact range of high-numbered ports used by Unix
traceroute depends on the implimentation.
--
Warhol's Second Law of Usenet: "In the future, everyone will troll
for 15 minutes."
 
Reply With Quote
 
 
 
 
TonyF
Guest
Posts: n/a
 
      07-07-2004

"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:ccee8b$h5u$(E-Mail Removed)...

> If you do block high-numbered UDP destinations, then you would
> probably break Unix traceroute (windows tracert works by icmp by
> default). The exact range of high-numbered ports used by Unix
> traceroute depends on the implimentation.


Thanks very much for this pricesless advice. Therefore I dont think I will
range block ports across the whole network at least as it might break too
much.

At the moment I am just trying blocking specific ports, sometimes even on
specific hosts so thats fine.

I have looked on it another way, and blocked at the website level even
accessing certain pages to download these clients, although there are always
ways around I want to make it more difficult than just going to the main
pages.

Hence I have blocked www.kazaalite.com etc, by determining their IP and then
adding it to a group setup for deny outgoing.

However this doesnt work for www.morpheus.com, and www.kazaa.com but has
worked for most of them.

Any ideas why this is and how I can find out the specific IP I need to block
if it isnt the one returned by the ping command?



 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      07-07-2004
In article <(E-Mail Removed)>,
TonyF <(E-Mail Removed)> wrote:
:Hence I have blocked www.kazaalite.com etc, by determining their IP and then
:adding it to a group setup for deny outgoing.

:However this doesnt work for www.morpheus.com, and www.kazaa.com but has
:worked for most of them.

:Any ideas why this is and how I can find out the specific IP I need to block
:if it isnt the one returned by the ping command?

I don't at the moment see why it wouldn't work for morpheus.

www.kazaa.com is a cname for www.kazaa.com.edgesuite.net
which in turn is a cname for [at least a the moment for me]
a342.g.akamai.net . akamai.net is a very large content distribution
provider that keeps mirrors of sites all over North America [and
probably parts of Europe] and figures out which one is "closest" to
you at the time and serves the information from there. It could be
any of literally hundreds of systems, and those same systems
serve content that you probably want, so you probably don't want
to block all of akamai's sites just to block kazaa .
--
Most Windows users will run any old attachment you send them, so if
you want to implicate someone you can just send them a Trojan
-- Adam Langley
 
Reply With Quote
 
TonyF
Guest
Posts: n/a
 
      07-07-2004

"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
> :Any ideas why this is and how I can find out the specific IP I need to

block
> :if it isnt the one returned by the ping command?
>
> I don't at the moment see why it wouldn't work for morpheus.
>
> www.kazaa.com is a cname for www.kazaa.com.edgesuite.net
> which in turn is a cname for [at least a the moment for me]
> a342.g.akamai.net . akamai.net is a very large content distribution
> provider that keeps mirrors of sites all over North America [and
> probably parts of Europe] and figures out which one is "closest" to
> you at the time and serves the information from there. It could be
> any of literally hundreds of systems, and those same systems
> serve content that you probably want, so you probably don't want
> to block all of akamai's sites just to block kazaa .


Hmm ok.
I had actually changed it so as to block at the 213.253.135.0 level on
255.255.255.0 instead of the exact IP on 255.255.255.255 which was the only
way I could find to stop it. And it did.
Are you saying that anything USEFUL and BUSINESS related comes out of that
area and its the same as Morpheus?
IF so I might need to look up the list of sites, because I might need to
unblock that domain.
Or I could just wait until someone complains and then review my
access-list/site groups.

Tony


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      07-08-2004
In article <(E-Mail Removed)>,
TonyF <(E-Mail Removed)> wrote:

:"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
:> I don't at the moment see why it wouldn't work for morpheus.

:> www.kazaa.com is a cname for www.kazaa.com.edgesuite.net
:> which in turn is a cname for [at least a the moment for me]
:> a342.g.akamai.net . akamai.net is a very large content distribution


:I had actually changed it so as to block at the 213.253.135.0 level on
:255.255.255.0 instead of the exact IP on 255.255.255.255 which was the only
:way I could find to stop it. And it did.

I'm not sure there whether you are referring to morpheus or kazaa .
When I chase through the various levels, www.morpheus.com for me
resolves to an IP in the 38.119 range, which is in the USA and
no-where near 213.253. But it could certainly be the case that
the nameservers at dnsmanaged are taking into account where I am
placing the query from, and are giving me a different answer than
they would give you.


:Are you saying that anything USEFUL and BUSINESS related comes out of that
:area and its the same as Morpheus?

I do not have any information about that. The akamai reference was
with respect to kazaa. Quite a bit of very useful business related
content is delivered by akami -- some of the best known computer
companies in the world deliver content via akamai. I believe that I've
even seen some of of the Windows Update patches served by akamai
servers. Blocking akamai just to block kazaa would be a drastic
measure.
--
Entropy is the logarithm of probability -- Boltzmann
 
Reply With Quote
 
TonyF
Guest
Posts: n/a
 
      07-13-2004

"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message > I do not
have any information about that. The akamai reference was
> with respect to kazaa. Quite a bit of very useful business related
> content is delivered by akami -- some of the best known computer
> companies in the world deliver content via akamai. I believe that I've
> even seen some of of the Windows Update patches served by akamai
> servers. Blocking akamai just to block kazaa would be a drastic
> measure.


See your point. It works very cleverly doesnt it. Ebay also seems to use it
albeit for static stuff like logos. That outrules the blocking speciifcally
of those IP's unfortunately. Not so good for those with firewalls.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Appending a list's elements to another list using a list comprehension Debajit Adhikary Python 17 10-18-2007 06:45 PM
Why does list.__getitem__ return a list instance for subclasses ofthe list type? dackz Python 0 02-06-2007 04:44 PM
403 Forbidden: You were denied access because: Access denied by access control list Southern Kiwi NZ Computing 6 03-19-2006 05:19 AM
Difference Between List x; and List x(); , if 'List' is a Class? roopa C++ 6 08-27-2004 06:18 PM
I'd like to know about the difference of between access-list and ip access -list. PS2 gamer Cisco 6 06-09-2004 01:37 PM



Advertisments